Rocky 9.2 unable to su

I have a fresh install of Rocky 9 DVD as a “Workstation with GUI” and I have selected the CIS RHEL 9 Workstation Level 1 Benchmark security profile and I have SELinux in enforcing mode. I am running into a problem where non-privileged user is unable to execute an “su” to become root or to another user even with a correct password. When an “su” is executed an error message is returned as:

su
Password:
su: Permission denied

I have never encountered this situation before and I cannot find any information in the log files to indicate the source of the problem. When I execute (as user1)

su user 2

the /var/log/messages file shows this entry:

*Jul 13 13:21:12 user1 su[54604]: FAILED SU (to user2) user1 on pts/1*

I see no entries in /var/log/secure to indicate a password failure. There is an entry in /var/log/audit/audit.log as:

type=USER_AUTH msg=audit(1689269269.922:621): *pid=55167 uid=1000 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="user2" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/1 res=failed'UID="user1" AUID="user2"*

Truthfully I have no idea as to how to interpret this to get a clue as to the reason for the failure. I have tried disabling SELinux enforcement but that did not resolve the issue. I have verified that the passwords are correct by logging in to the accounts via ssh with no issues. If I make the non-privileged user a member of the wheel group I can sudo or su but I do not wish to do this. Any suggestions as to what may be wrong would be appreciated!

I would say the thing you did wrong was select the CIS security profile. You should have just left it as it was by not selecting it.

Do a new install, without selecting the security profile, and you will see that su works.

Selecting security profiles, puts restrictions on what you can and cannot do.

Thank you for your reply but I have other Rocky 9.2 installs with the same security profile without this issue manifesting. And I have valid reasons why it is necessary to select that security profile.

As far as I know, the CIS profile makes it so that a user must be part of the wheel group to perform su. You can verify this in /etc/pam.d/su.

Thank you so much for the helpful post! I also discovered this about 15 minutes ago after digging through the CIS profile document for Rocky 9 which I downloaded and dug into. There is suggested alternative on page 617 of that document which involves creating a special group which would allow members to execute su. I was just about to post about this but you beat me to it. I spent a half day puzzling over this but learned quite a lot. Thanks again for the great answer!

There’s a sudo or sudoers group.

I don’t know how I did it but I managed to kick myself out of that group at some point.