PAM SC(EP) : appears SURROGATE log non-root to another user and non-root to root by only one su command

Document ID : KB000108051
Last Modified Date : 27/07/2018
Show Technical Document Details
Issue:
Customer add following rule to find switch user.
editres SURROGATE ('USER._default') audit(SUCCESS FAILURE) defaccess(READ) owner('nobody')
When non-root user switch to another user, it appears both surrogate log as non-root user to another user and non-root to root user.
 
Environment:
OS: RHEL
Prod: CA Privilege Access Manager Server Control r14.0 for Endpoint.
It may occur on Privileged Identity Manager r12.8 SP1 or so.
 
Resolution:
Customer found the problem is occurred when SELinux is 'permissive'.
So, it works as expected after disable SELinux.