----- Original Message ----- > From: Chad Hanson <dahchanson@xxxxxxxxx> > To: Andy Ruch <adruch2002@xxxxxxxxx> > Cc: Christopher J. PeBenito <cpebenito@xxxxxxxxxx>; SELinux ML <selinux@xxxxxxxxxxxxx> > Sent: Friday, April 26, 2013 9:16 AM > Subject: Re: SELinux errors with pam_faillock > > I think the bigger issue with your question on sudo and newrole is > what have you done to get into the system without already creating > faillog files for the current user. Both sudo and newrole are only > authenticating the existing user. There is a problem in su.if that it > needs manage instead of rw since you are changing to a different user > which may not yet have a faillog entry as I would understand this > process. Also, there is also a missing block to read the cracklib > dictionaries in the sudo.if file. > To my knowledge, the files in /var/run/faillock are created when an error (wrong password) occurs during user authentication, not when the user logs in. Are you saying the files should always be created, even on logon? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
