On Thu, 2004-03-11 at 16:17, Jeff Johnson wrote: > All true. > > But there's always > sudo su - With SELinux in enforcing mode, that would still require root password authentication; pam_rootok performs a SELinux permission check (in addition to the usual test) to see whether the calling domain is authorized to bypass normal authentication. And the role and domain transitions would still need to be authorized; if you started from user_r, SELinux wouldn't let you get to sysadm_r (unless someone has messed up the policy). -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
