On Fri, 2004-04-02 at 09:56, murphy pope wrote: > Everything that I've read says that the 'su' command will change my > Linux user ID but not my identity. Here's what I see: > > # id -Z > root:staff_r:staff_t > # su fred > Your default context is fred:sysadm_r:sysadm_t. > > Do you want to choose a different one? [n]n > $ id -Z > fred:sysadm_r:sysadm_t > > My identity changed from 'root' to 'fred'. Bug? That seems a pretty > fundamental flaw considering that every document that I've read uses > 'su' to explain the difference between a user ID and an identity. > > By the way, I see the same result whether I use 'su' or 'su -'. I see > the same result (a change in identity) whether I su from root to fred > or from fred to root. > > So which one is right? The documentation or the code? RedHat chose to integrate security context transitions into su (via pam_selinux). The NSA documentation and externally developed sourceforge selinux HOWTOs/FAQs were written prior to that change. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
