Permission denied on /etc/security/opasswd during forced password change when using remember in pam_unix
Issue
- When trying to force the user to change the password or after the expiration of it, user is not able to change it because SElinux denies access to
/etc/security/opasswdwith this error:
Oct 14 09:00:33 localhost login[10226]: pam_unix(login:account): expired password for user newuser (root enforced)
Oct 14 09:01:12 localhost login[10226]: pam_unix(login:chauthtok): can't open /etc/security/opasswd file to check old passwords
Oct 14 09:01:12 localhost login[10226]: pam_unix(login:chauthtok): new password not acceptable
Oct 14 09:01:15 localhost login[10226]: Authentication token manipulation error
- The SElinux deny is:
----
time->Fri Sep 2 03:55:02 2022
type=PROCTITLE msg=audit(1662105302.984:2660): proctitle=737368643A207573657231205B70616D5D
type=SYSCALL msg=audit(1662105302.984:2660): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f2d607a9cf4 a2=0 a3=0 items=0 ppid=6616 pid=6618 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1662105302.984:2660): avc: denied { read } for pid=6618 comm="sshd" name="opasswd" dev="dm-0" ino=1361688 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file permissive=0
----
Environment
- Red Hat Enterprise Linux
- PAM
- SElinux
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
