Enabling pam_tty_audit on a RHEL 8 or 9 system with GUI breaks the GUI

Solution Verified - Updated -

Issue

  • After enabling pam_tty_audit by updating /etc/pam.d/password-auth and /etc/pam.d/system-auth to contain session required pam_tty_audit.so enable=[...], the system doesn't boot in Graphical mode anymore

  • SELinux AVCs for systemd --user process related to audit_control is seen in the journal

    type=AVC msg=audit([...]): avc:  denied  { audit_control } for  pid=1961 comm="(systemd)" capability=30  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0

  • SSH logins are still possible, but the message below is seen in the journal

    [...] Started Session XXX of user USER.
[...] systemd[SOMEPID]: PAM failed: Cannot make/remove an entry for the specified session
[...] systemd[SOMEPID]: user@UID.service: Failed to set up PAM session: Operation not permitted
[...] systemd[SOMEPID]: user@UID.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
[...] systemd[1]: user@UID.service: Failed with result 'protocol'.

Environment

  • Red Hat Enterprise Linux 8 and 9
    • systemd
    • pam_tty_audit

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content