Stephen Smalley wrote:
> Early Fedora and RHEL-4 put pam_selinux in /etc/pam.d/su in an effort to
> automatically change contexts upon user identity changes.  This proved
> to be a mistake in practice (and a deviation from the original SELinux
> approach), and was subsequently removed in later Fedora and RHEL-5.

BTW, is there any further explanation of why this is a mistake? And
question #2, I think sudo still does this, isn't that a mistake too?

Michal Svoboda