SELinux is preventing xdm from opening opasswd file

Solution Verified - Updated -

Issue

  • SELinux is preventing xdm from opening /etc/security/opasswd file.
  • users are not able to change their password through GDM login screen when they are expired and password history check enabled.
  • Getting the below selinux denials:
time->Mon Aug 18 17:02:28 2014
type=SYSCALL msg=audit(1408374148.654:245): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f2ab44192 a1=0 a2=1b6 a3=0 items=0 ppid=3574 pid=3731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408374148.654:245): avc:  denied  { read } for  pid=3731 comm="gdm-session-wor" name="opasswd" dev=dm-0 ino=1046138 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
  • The issue is reproducible. Create a test user and expire its password (using chage).
    • Enable password history check in pam.d through pam_unix (...) remember=3.
    • Try to login through gdm and change your password when asked.

Environment

  • Red Hat Enterprise Linux 6.5
  • pam
  • selinux-policy

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.