Red Hat Bugzilla – Bug 119851
SELinux FAQ - RH change to SELinux identity security
Last modified: 2007-04-18 13:05:22 EDT
Description of change/FAQ addition. If a change, include the original
text first, then the changed text:
We need to add an entry for this:
Version-Release of FAQ (found on
This question is posed to follow the example where su is used with the
context transition prior to running useradd (i.e., the question "How
can I create a new Linux user account with the user's home directory
having the proper context?").
Here is the current proposed entry:
Q:. All of the other SELinux documentation states that the su command
will only change Linux identity not security role.
A:. The Fedora Core development team has taken a slightly different
direction than existing SELinux practice. Security context transitions
are now integrated into su via pam_selinux.
In practice, this is like combining the traditional su with the
SELinux newrole, as one step instead of two.
I'd mention that we've done this to make it markedly simpler to use
the system, and that other forms of Unix identity change (e.g.
setuid(2)) do not cause an SELinux identity change.
Included in next build of the FAQ (1.0-3).