[CentOS] Re: su, context(selinux?) 2nd prompt

Kanwar Ranbir Sandhu m3freak at rogers.com
Fri Jan 27 21:42:13 UTC 2006


On Wed, 2006-25-01 at 12:06 -0500, Daniel J Walsh wrote:   
> >> Remove multiple from the pam file.
> >>     
> >
> > editing /etc/pam.d/su, changing
> > session    required     /lib/security/$ISA/pam_selinux.so open multiple
> > to
> > session    required     /lib/security/$ISA/pam_selinux.so open
> >
> > Did the trick, thanks Dan!
> >
> > # rpm -q -f /etc/pam.d/su
> > coreutils-5.2.1-31.2
> >
> >   
> You can actually remove the pam_selinux.so lines from the su file 
> altogether.  We have done this for FC5 and it works
> fine.  In strict or MLS Policy you will be required to run newrole but 
> in targeted everything should just work.

I'm seeing the same behaviour with telnetd.  I had to install it for a
client that runs a text based app which Windows users telnet into (it's
only open to the local network, and the app loads immediately after
login).

When a user logs in via telnet, the same question appears.  I told my
client to just accept the default answer, which is "no".  Ideally, I'd
like to remove the option all together.

I assume it's possible to turn it off like it was for "su", but I'm not
sure which file to edit.  /etc/pam.d/login looks like the closest one,
specifically this line:

# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open

I'm not sure though.  Any tips?

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.14-1.1656_FC4 i686 GNU/Linux 
16:34:54 up 9:34, 5 users, load average: 0.06, 0.35, 0.43 





More information about the CentOS mailing list