User roles and transitions

A surprising side-effect of protection domains described by security policies shows when the "su" utility is used: No more extra login with the root credentials is needed. Why? Because a) the users identity is already known - why should one change IDENTITY to perform a different function? This not only violates the principle of accountability (always know WHO is doing something) but also makes the root credentials less secure. In traditional systems the root credentials are needed because the system does not know that user X has the right to run "su". And b) on a SELinux system a policy exists that allows user X the transition to the role "sysadm" - which is known by the system.

There is a tiny issue with not using live credentials in this case: what if the user left the desktop and somebody else is typing in "su"? But even in this case we do not want the root credentials being entered. All we want is a liveness check on the users identity and we would then ask her to repeat initial authentication.

Another intersting case it the question of the "system" role which is reserved for running system services. Some systems allow sysadm or staff users to transition to the system role automatically so they can start system services automatically.