1 |
On Sat, 21 Jan 2017 18:04:51 +0000 |
2 |
Robert Sharp <selinux@×××××××××××××××.org> wrote: |
3 |
|
4 |
> type=AVC msg=audit(1485020695.038:10368): avc: denied |
5 |
> { create } for pid=20374 comm="su" |
6 |
> scontext=staff_u:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_t |
7 |
> tclass=key permissive=1 |
8 |
|
9 |
I haven't looked at this in detail, so please forgive me if my answer |
10 |
is utter nonsense: Have you considered that this denial might be caused |
11 |
by UBAC (that's the fancy name for the restrictions refpolicy places |
12 |
upon interactions between different selinux users, staff_u and root in |
13 |
this case)? |
14 |
|
15 |
Anyway, personally I've never tried making su work with SELinux. |
16 |
"sudo -r sysadm_r -t sysadm_t" works like a charm. |
17 |
|
18 |
Regards, |
19 |
Luis Ressel |