As I am working again on adjusting the reference policy to my distro I have run into a problem with su that raised the following question: What use is su if a normal user after running su is still user_u:user_r:user_t and thus has no permissions to do stuff? Sure, he's root, but as because of SELinux that alone isn't worth much, as being user_u still limits the user's options pretty much. Is there anything I misunderstand here? I don't think there should be an automtic transition from user_r to sysadm_r, and newrole-ing this doesn't work as user_u doesn't have the sysadmin-role. So, what the heck is the use of su on a SELinux-system? To give you a little overview on what I am trying to do here with my system: I have configured the policy to be MLS, thus split up powers to different roles. root can compile a new policy in sysadm_r, but needs to be secadm_r to load it. Regular users can compile stuff, root can't (at least not as sysadm_r, I might enable this for staff_r and then require sysadm_r to the install-process). But for now the problem really is that su to me seems pretty useless right now. Thanks and best regards, Dennis
Attachment:
signature.asc
Description: This is a digitally signed message part.
