On Sun, Nov 27, 2011 at 12:48:14PM -0700, Stan Sander wrote:
> Thanks for the tip. I was running in staff_r when I got the denials. I
> thought I read somewhere that staff was allowed to su, so never thought
> the difference of when I entered the newrole to be that significant.
> Anyway, I'll call newrole first but it still appears as though I need to
> keep the calls to pam_selinux out of the su file as it fails when they
> are in. Also pam_xauth doesn't appear as though it's able to play with
> selinux, at least not inside the su file.
Heh, my bad. There is no need to put pam_selinux for su in the first place.
At least, I don't have it on my systems. The only place where pam_selinux is
called is in the system-login definition for PAM (which is sourced by login,
slim and sshd PAM definitions).
Meh.
Sven Vermeulen
