When i manage user data via LDAP (using pam_ldap), useradd/usermod/etc fail when run from scripts. In particular, e.g. # yum install httpd fails because the "useradd apache" commands hangs. Audit2allow suggests: allow useradd_t urandom_device_t:chr_file { getattr read }; If i modify my LDAP configuration so that connections are not encrypted using TLS, the useradd succeeds. I think that, when LDAP is in use, anyone who needs to query the passwd or group map [1] should be able to read /dev/urandom so they can initiate TLS LDAP connections. But i don't know enough about the layout of the SELinux policy to speculate on whether the problem is that: (a) The PAM/LDAP client policy is ignorant of TLS (b) The useradd/etc policy is ignorant of LDAP (c) Something else Any suggestions would be appreciated. I have "solved" this for my own purposes the hackish way (i.e. by doing what audit2allow recommends, as a standalone module), but i'd like to be able to recommend a real patch. Thanks. Chaos [1] The useradd/usermod/etc commands need to query passwd maps in order to fail with an error if a central user conflicts with the user being created. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list