SELinux is preventing xdm from opening opasswd file
Issue
- SELinux is preventing
xdm
from opening/etc/security/opasswd
file. - users are not able to change their password through GDM login screen when they are expired and password history check enabled.
- Getting the below selinux denials:
time->Mon Aug 18 17:02:28 2014
type=SYSCALL msg=audit(1408374148.654:245): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f2ab44192 a1=0 a2=1b6 a3=0 items=0 ppid=3574 pid=3731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408374148.654:245): avc: denied { read } for pid=3731 comm="gdm-session-wor" name="opasswd" dev=dm-0 ino=1046138 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
- The issue is reproducible. Create a test user and expire its password (using chage).
- Enable password history check in
pam.d
throughpam_unix (...) remember=3
. - Try to login through
gdm
and change your password when asked.
- Enable password history check in
Environment
- Red Hat Enterprise Linux 6.5
- pam
- selinux-policy
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.