[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-hardened
Subject:    RE: Re: [gentoo-hardened] Problems with su on 20120215 policy and latest policycoreutils
From:       Krzysztof Nowicki <krissn () op ! pl>
Date:       2012-03-11 18:59:43
Message-ID: 6028768-d70d18363313c6c5e71c1e051b7254ef () pmq2 ! m5r2 ! onet
[Download RAW message or body]

W dniu 2012-03-10 20:42:07 u=C5=BCytkownik Sven Vermeulen <swift@gentoo.org=
> napisa=C5=82:
> On Sat, Mar 10, 2012 at 07:07:54PM +0100, Krzysztof Nowicki wrote:
> > Recently I've upgraded the policy to the latest testing version. I've a=
lso had to upgrade policycoreutils (+deps) to the versions from the overlay=
, since they're required by the policies. Everything seems to be working fi=
ne for now, but I noticed a problem with su. Every time I try to use it an =
error is displayed:
> > =

> > su: Authentication service cannot retrieve authentication info
> > =

> > This message is displayed regardless of the user executing su (even for=
 root/sysadm_r).
> [...]
> =

> Hi Krzysztof,
> =

> This should be tackled with selinux-base-policy-2.20120215-r3 (and
> selinux-base-2.20120215-r3) and later. Can you check if that is indeed me=
t?
> =

> Iirc, the su domains needed getattr rights on the security_t domain:
> =

> ~# sesearch -s staff_su_t -t security_t -c filesystem -p getattr -A;
> Found 1 semantic av rules:
>   allow staff_su_t security_t : filesystem getattr ;
> =

> Wkr,
> 	Sven Vermeulen
> =

> =


Hi Sven,

Thanks, that helped a lot. I had -r1 previously and since I forgot to updat=
e the overlay I didn't see the latest revisions.

Best regards
Chris

[prev in list] [next in list] [prev in thread] [next in thread]