Hi,

I'm running a system in permissive mode to generate some local module
to suit my regular needs. Iterating to get all the local policies required
I find audit2allow spreading the following messages:

#============= sysadm_su_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       Possible cause is the source user (staff_u) and target user (root) are different.
allow sysadm_su_t user_home_dir_t:dir { add_name search write };

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       Possible cause is the source user (staff_u) and target user (root) are different.
allow sysadm_su_t xauth_home_t:file { create open read write };

#============= xauth_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       Possible cause is the source user (staff_u) and target user (root) are different.
allow xauth_t user_home_dir_t:dir { add_name search write };

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

#       Possible cause is the source user (staff_u) and target user (root) are different.
allow xauth_t xauth_home_t:file write;

These looks like the su module of selinux-base-policy should do a transition
to root user after I switch my user to the sysadm_r role, and execute su -l,
and it may be currently not happening. Please let me know if I'm doing anything
unexpected, or is it just a missing case in the policy. The system have su, but
not sudo.

Thanks!