When running su `-bash: /bin/su: Permission denied`

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 6

Issue

  • Selinux is preventing an account to run /bin/su.
  • If disable selinux it works. What must change to allow this?
[root@localhost ~]$ su -
-bash: /bin/su: Permission denied

Resolution

  • Refer below steps to overcome such problem :
Step1) Check the user's context

[root@localhost ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
testuser                    user_u                    s0             <==========
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
[root@localhost ~]# 

Login with user and verify the context :

[testuser@localhost ~]$ id -Z
user_u:user_r:user_t:s0                <===user has "user_t" context

[testuser@localhost ~]$ su
-bash: su: command not found      <============get this error 
[testuser@localhost ~]$ 

Step2) Modify the user's context to default(unconfined_u) context, execute below command

[root@localhost ~]# semanage login -d testuser
[root@localhost ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
[root@localhost ~]# 

Step3) Now login with user's account :

[testuser@localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023       <====Correct context
[testuser@localhost ~]$ 

[testuser@localhost ~]$ su -
Password:                                       <======== Now able to login as root
[root@localhost testuser]#

Root Cause

-Different user's context.

Diagnostic Steps

  • How to reproduce
[root@localhost ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
testuser                    user_u                    s0             <==========
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
[root@localhost ~]# 

Login with user and verify the context :

[testuser@localhost ~]$ id -Z
user_u:user_r:user_t:s0                <===user has "user_t" context

[testuser@localhost ~]$ su
-bash: su: command not found      <============get this error 
[testuser@localhost ~]$

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments