From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-3609-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RV5hh-0000tu-Rv
	for garchives@archives.gentoo.org; Mon, 28 Nov 2011 18:13:22 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 22EF821C26E;
	Mon, 28 Nov 2011 18:12:37 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 5E07021C240
	for <gentoo-hardened@lists.gentoo.org>; Mon, 28 Nov 2011 18:11:45 +0000 (UTC)
Received: by smtp.gentoo.org (Postfix, from userid 617)
	id ED1FB1B4016; Mon, 28 Nov 2011 18:11:39 +0000 (UTC)
Date: Mon, 28 Nov 2011 18:11:39 +0000
From: Sven Vermeulen <swift@gentoo.org>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Re: Help with su  (RESOLVED)
Message-ID: <20111128181139.GB27988@gentoo.org>
Mail-Followup-To: gentoo-hardened@lists.gentoo.org
References: <4ED05DE4.4050202@sblan.net>
 <4ED1C3D1.3060600@sblan.net>
 <20111127173850.GB18017@gentoo.org>
 <4ED293FE.7010308@sblan.net>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
In-Reply-To: <4ED293FE.7010308@sblan.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Archives-Salt: 134e3f95-8746-4c0b-9674-9b5a3af37f81
X-Archives-Hash: 9a56c7c2c2b6319912d4c9e9594491cb

On Sun, Nov 27, 2011 at 12:48:14PM -0700, Stan Sander wrote:
> Thanks for the tip.  I was running in staff_r when I got the denials.  I
> thought I read somewhere that staff was allowed to su, so never thought
> the difference of when I entered the newrole to be that significant. 
> Anyway, I'll call newrole first but it still appears as though I need to
> keep the calls to pam_selinux out of the su file as it fails when they
> are in.  Also pam_xauth doesn't appear as though it's able to play with
> selinux, at least not inside the su file. 

Heh, my bad. There is no need to put pam_selinux for su in the first place.
At least, I don't have it on my systems. The only place where pam_selinux is
called is in the system-login definition for PAM (which is sourced by login,
slim and sshd PAM definitions).

Meh.

	Sven Vermeulen