su issues for non-root user if SELinux is on

sluge

New Member
Joined
Sep 18, 2019
Messages
4
Reaction score
0
Credits
38
Hello,
I have a common user on my RHEL 7.6 server and when SELinux is off, su command works for it. But when SElinux is on, su command doesn't work anymore.
In the PAM sources I found that

#ifndef HELPER_COMPILE
if (geteuid() || SELINUX_ENABLED)
return PAM_UNIX_RUN_HELPER;
#endif

a special command unix_chkpwd is used to check the password if SELinux is on. This command has a code:

user = getuidname(getuid());
/* if the caller specifies the username, verify that user
matches it */
if (strcmp(user, argv[1])) {
user = argv[1];
/* no match -> permanently change to the real user and proceed */
if (setuid(getuid()) != 0)
return PAM_AUTH_ERR;

In my case user is common user name and argv[1] is root, and in that case setuid is executed for uid of common user.
Do you know why it works so?
Is any way to make su works when SELinux is on?
 


Last edited:

Staff online


Top