On Fri, 2004-04-02 at 09:56, murphy pope wrote:
Everything that I've read says that the 'su' command will
change my
Linux user ID but not my identity. Here's what I see:
# id -Z
root:staff_r:staff_t
# su fred
Your default context is fred:sysadm_r:sysadm_t.
Do you want to choose a different one? [n]n
$ id -Z
fred:sysadm_r:sysadm_t
My identity changed from 'root' to 'fred'. Bug? That seems a pretty
fundamental flaw considering that every document that I've read uses
'su' to explain the difference between a user ID and an identity.
By the way, I see the same result whether I use 'su' or 'su -'. I see
the same result (a change in identity) whether I su from root to fred
or from fred to root.
So which one is right? The documentation or the code?
RedHat chose to integrate security context transitions into su (via
pam_selinux). The NSA documentation and externally developed
sourceforge selinux HOWTOs/FAQs were written prior to that change.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency