Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 119851

Summary: SELinux FAQ - RH change to SELinux identity security
Product: [Retired] Fedora Documentation Reporter: James Morris <jmorris>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED CURRENTRELEASE QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: devel   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-03 01:58:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757    

Description James Morris 2004-04-02 17:01:16 UTC 
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

We need to add an entry for this:
https://listman.redhat.com/archives/fedora-selinux-list/2004-April/msg00031.html



Version-Release of FAQ (found on
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html):

 selinux-faq-1.0-2 (2004-03-30-T16:20-0800)
Comment 1 Karsten Wade 2004-04-02 23:46:23 UTC 
This question is posed to follow the example where su is used with the
context transition prior to running useradd (i.e., the question  "How
can I create a new Linux user account with the user's home directory
having the proper context?").  

Here is the current proposed entry:

## begin

Q:. All of the other SELinux documentation states that the su command
will only change Linux identity not security role.

A:. The Fedora Core development team has taken a slightly different
direction than existing SELinux practice. Security context transitions
are now integrated into su via pam_selinux.

In practice, this is like combining the traditional su with the
SELinux newrole, as one step instead of two. 

## end
Comment 2 James Morris 2004-04-02 23:55:45 UTC 
I'd mention that we've done this to make it markedly simpler to use
the system, and that other forms of Unix identity change (e.g.
setuid(2)) do not cause an SELinux identity change.
Comment 3 Karsten Wade 2004-04-03 01:58:35 UTC 
Done.

Included in next build of the FAQ (1.0-3).