Hello,
I'm receiving some SELinux errors related to the pam_faillock module. I'm running RHEL 6.3 with a custom policy based on the reference policy.
When a user enters an incorrect password, the pam faillock module will track it with a file in /var/run/faillock/<user>. This is being applied whenever the user enters their
password (i.e. console login, newrole, sudo). Everything works appropriately for the console login. For newrole and sudo, I'm getting errors when the /var/run/faillock/<user> file is trying to be created. Basically, newrole_t and <role>_sudo_t don't have permission to create files in a faillog_t dir.
I found a rule in 'selinuxutil.te' allowing newrole_t to read/write to faillog: "auth_rw_faillog(newrole_t)". However, this rule only allows writing if the file already exists. It doesn't address if the faillock file needs to be created.
I'm able to address the issues with the following rules:
# Note that these rules would be applied in the sudo interface to support all sudo types
create_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
setattr_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
allow sysadm_sudo_t_t self:capability:chown;create_files_pattern( newrole_t, faillog_t, faillog_t )
setattr_files_pattern( newrole_t, faillog_t, faillog_t )
allow newrole_t self:capability:chown;
Is this the correct solution? Or should a transition be happening when faillock executes?
Thanks,
Andy Ruch
