On Fri, 2010-04-09 at 08:16 -0400, Alan Rouse wrote: > Two questions: > > 1. I'm working with selinux in opensuse. With selinux in enforcing mode, su is not working. For example, suppose root tries to su to an unprivileged user. I'm asked if I would like to enter a security context [N]. If I say no, it responds "su: cannot not open session: Authentication failure". With selinux in permissive mode, it works... and no avc messages are logged. > > Any idea what I have done wrong? > > 2. When I try to su to an unprivileged user, and it asks if I would like to enter a security context, suppose I say yes. It asks for a role, and I enter 'user_r'. then it asks for a level. What kind of answer does it expect here? Nothing I've tried works.... Remove pam_selinux from /etc/pam.d/su. Early Fedora and RHEL-4 put pam_selinux in /etc/pam.d/su in an effort to automatically change contexts upon user identity changes. This proved to be a mistake in practice (and a deviation from the original SELinux approach), and was subsequently removed in later Fedora and RHEL-5. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
