I recently switched from FC4 targeted (enforcing) to strict (permissive) using selinux-policy-strict-1.27.1-2.16.noarch.rpm. I did a touch /.autorelabel before rebooting.

I see this: [bruce@BorgCube ~]$ su - Password: Error sending status request (Operation not permitted) [root@BorgCube ~]#

The last part of the /var/log/audit/audit.log shows: type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5 success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t tclass=file type=AVC msg=audit(1138247001.111:13162965): avc: denied { add_name } for pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir type=AVC msg=audit(1138247001.111:13162965): avc: denied { write } for pid=8250 comm="su" name=root dev=dm-0 ino=11392129 scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir type=SYSCALL msg=audit(1138247001.111:13162967): arch=40000003 syscall=207 success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC msg=audit(1138247001.111:13162967): avc: denied { setattr } for pid=8250 comm="su" name=.xauthVpNVFy dev=dm-0 ino=11392172 scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t tclass=file type=USER msg=audit(1138247001.325:13165423): user pid=8250 uid=501 auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/2 result=Success)'

Any ideas?

If I change to strict, enforcing, will this prevent me from su to root?

Bruce