su, context(selinux?) 2nd prompt

Daniel J Walsh dwalsh at redhat.com
Mon Jan 30 19:35:00 UTC 2006


Kanwar Ranbir Sandhu wrote:
> On Wed, 2006-25-01 at 12:06 -0500, Daniel J Walsh wrote:   
>   
>>>> Remove multiple from the pam file.
>>>>     
>>>>         
>>> editing /etc/pam.d/su, changing
>>> session    required     /lib/security/$ISA/pam_selinux.so open multiple
>>> to
>>> session    required     /lib/security/$ISA/pam_selinux.so open
>>>
>>> Did the trick, thanks Dan!
>>>
>>> # rpm -q -f /etc/pam.d/su
>>> coreutils-5.2.1-31.2
>>>
>>>   
>>>       
>> You can actually remove the pam_selinux.so lines from the su file 
>> altogether.  We have done this for FC5 and it works
>> fine.  In strict or MLS Policy you will be required to run newrole but 
>> in targeted everything should just work.
>>     
>
> I'm seeing the same behaviour with telnetd.  I had to install it for a
> client that runs a text based app which Windows users telnet into (it's
> only open to the local network, and the app loads immediately after
> login).
>
> When a user logs in via telnet, the same question appears.  I told my
> client to just accept the default answer, which is "no".  Ideally, I'd
> like to remove the option all together.
>
> I assume it's possible to turn it off like it was for "su", but I'm not
> sure which file to edit.  /etc/pam.d/login looks like the closest one,
> specifically this line:
>
> # pam_selinux.so open should be the last session rule
> session    required     pam_selinux.so multiple open
>
> I'm not sure though.  Any tips?
>
> Regards,
>
> Ranbir
>
>   
Remove multiple for the pam_selinux line.




More information about the selinux mailing list