Description of problem: I am currently logged on my system as seuser staff_u. When I need root privileges, I change the role to sysadm_r and use the classic command "su -". This last command takes a while and generate a lot of denials (I have counted 3089 AVC). I have used audit2allow to generate dontaudit rules: #============= sysadm_su_t ============== dontaudit sysadm_su_t admin_home_t:dir write; dontaudit sysadm_su_t apm_bios_t:chr_file getattr; dontaudit sysadm_su_t autofs_device_t:chr_file getattr; dontaudit sysadm_su_t clock_device_t:chr_file getattr; dontaudit sysadm_su_t event_device_t:chr_file getattr; dontaudit sysadm_su_t fixed_disk_device_t:blk_file getattr; dontaudit sysadm_su_t framebuf_device_t:chr_file getattr; dontaudit sysadm_su_t fuse_device_t:chr_file getattr; dontaudit sysadm_su_t gpmctl_t:sock_file getattr; dontaudit sysadm_su_t init_t:dir search; dontaudit sysadm_su_t initctl_t:fifo_file getattr; dontaudit sysadm_su_t kmsg_device_t:chr_file getattr; dontaudit sysadm_su_t kvm_device_t:chr_file getattr; dontaudit sysadm_su_t loop_control_device_t:chr_file getattr; dontaudit sysadm_su_t lvm_control_t:chr_file getattr; dontaudit sysadm_su_t mei_device_t:chr_file getattr; dontaudit sysadm_su_t memory_device_t:chr_file getattr; dontaudit sysadm_su_t netcontrol_device_t:chr_file getattr; dontaudit sysadm_su_t nvram_device_t:chr_file getattr; dontaudit sysadm_su_t ppp_device_t:chr_file getattr; dontaudit sysadm_su_t printer_device_t:chr_file getattr; dontaudit sysadm_su_t proc_kcore_t:file getattr; dontaudit sysadm_su_t ptmx_t:chr_file getattr; dontaudit sysadm_su_t removable_device_t:blk_file getattr; dontaudit sysadm_su_t scsi_generic_device_t:chr_file getattr; dontaudit sysadm_su_t tty_device_t:chr_file getattr; dontaudit sysadm_su_t usbmon_device_t:chr_file getattr; dontaudit sysadm_su_t v4l_device_t:chr_file getattr; dontaudit sysadm_su_t vhost_device_t:chr_file getattr; dontaudit sysadm_su_t watchdog_device_t:chr_file getattr; dontaudit sysadm_su_t wireless_device_t:chr_file getattr; dontaudit sysadm_su_t xserver_misc_device_t:chr_file getattr; It works fine with them. Version in use: selinux-policy-targeted-3.12.1-73.fc19.noarch
5bf08c2d0bc4ce026376ee96b2a5e6bc2f214a39 fixes this in git.
Has been back ported. Lukas, is this a part of the latest update?
selinux-policy-targeted-3.12.1-74.2.fc19.noarch fixes almost all the denials. Here the remaining ones: #============= sysadm_su_t ============== dontaudit sysadm_su_t admin_home_t:dir write; dontaudit sysadm_su_t gpmctl_t:sock_file getattr; dontaudit sysadm_su_t init_t:dir search; dontaudit sysadm_su_t initctl_t:fifo_file getattr; dontaudit sysadm_su_t proc_kcore_t:file getattr;
Miroslav, Fix was included in 3.12.1-74.2.fc19
selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19
Package selinux-policy-3.12.1-74.3.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19 then log in and leave karma (feedback).
Too late to give a good karma, but comment #3 is still valid.
selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
It is too early to close, there are still some denials: #============= sysadm_su_t ============== dontaudit sysadm_su_t admin_home_t:dir write; dontaudit sysadm_su_t gpmctl_t:sock_file getattr; dontaudit sysadm_su_t init_t:dir search; dontaudit sysadm_su_t initctl_t:fifo_file getattr; dontaudit sysadm_su_t proc_kcore_t:file getattr;