| 1 |
On Sat, 21 Jan 2017 18:04:51 +0000 |
| 2 |
Robert Sharp <selinux@×××××××××××××××.org> wrote: |
| 3 |
|
| 4 |
> type=AVC msg=audit(1485020695.038:10368): avc: denied |
| 5 |
> { create } for pid=20374 comm="su" |
| 6 |
> scontext=staff_u:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_t |
| 7 |
> tclass=key permissive=1 |
| 8 |
|
| 9 |
I haven't looked at this in detail, so please forgive me if my answer |
| 10 |
is utter nonsense: Have you considered that this denial might be caused |
| 11 |
by UBAC (that's the fancy name for the restrictions refpolicy places |
| 12 |
upon interactions between different selinux users, staff_u and root in |
| 13 |
this case)? |
| 14 |
|
| 15 |
Anyway, personally I've never tried making su work with SELinux. |
| 16 |
"sudo -r sysadm_r -t sysadm_t" works like a charm. |
| 17 |
|
| 18 |
Regards, |
| 19 |
Luis Ressel |
Archives