Trying to switch to a different user on a SELinux- and grsecurity-enabled kernel w/ su fails with the following errors and denials: # su testuser su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed. Segmentation fault From the log: [608399.079722] audit: type=1400 audit(1436192977.416:886): avc: denied { create } for pid=5345 comm="su" ipaddr=127.0.0.6 scontext=root:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_su_t tclass=netlink_selinux_socket permissive=0 [608399.080052] audit: type=1400 audit(1436192977.420:887): avc: denied { signal } for pid=5345 comm="su" ipaddr=127.0.0.6 scontext=root:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_su_t tclass=process permissive=0 [608399.080065] audit: type=1400 audit(1436192977.420:888): avc: denied { signal } for pid=5345 comm="su" ipaddr=127.0.0.6 scontext=root:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_su_t tclass=process permissive=0 [608399.080071] traps: su[5345] general protection ip:6fda22b8c588 sp:7dabe3bd5310 error:0 in libc-2.20.so[6fda22b56000+1a2000] [608399.080091] grsec: From 127.0.0.6: Segmentation fault occurred at (nil) in /bin/su[su:5345] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10684] uid/euid:0/0 gid/egid:0/0 [608399.080108] grsec: From 127.0.0.6: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /bin/su[su:5345] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10684] uid/euid:0/0 gid/egid:0/0 Reproducible: Always The following relevant policy versions were installed at the time of testing: sec-policy/selinux-base-2.20141203-r6:0 sec-policy/selinux-base-policy-2.20141203-r6:0 Kernel version running at the time of testing: 4.0.6-hardened-r2
For your information, similar stuff has been reported in the past [1] but sadly with no result(s). I'm going to go address this in the su_restricted_domain_template() inside admin/su.if for Gentoo. [1] http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
Fixed in repo, will be in r8
r8 is in ~arch now
r8 is stable