On Thursday 26 January 2006 14:51, Bruce Ecroyd <bruce.ecroyd@xxxxxxxxx>
wrote:
> The last part of the /var/log/audit/audit.log shows:
> type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5
> success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250
> auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100
> fsgid=100 comm="su" exe="/bin/su"
> type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for
> pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
> tcontext=user_u:object_r:sysadm_home_dir_t tclass=file
When running as user_u you should not be creating any files in a directory
with label sysadm_home_dir_t. If such file creation was permitted then
user_t would be able to subvert sysadm_t.
> If I change to strict, enforcing, will this prevent me from su to root?
If you login as staff_r:staff_t then you will be able to su to root with
administrative privs, otherwise not. This is by design.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
