I would expect this to be case from reading the pam_faillock man page. On successful attempts you clear file of any errors. I would assume this would make the file if it doesn't exist. That seems to be the case in my testing. This would be the only reason why some policy modules have auth_manage_faillog vs auth_rw_faillog. That interface doesn't look to be run refpolicy yet, but is in policy-F13.patch in RHEL 6. You are definitely correct that there needs to be policy for the files to get created by someone. On Fri, Apr 26, 2013 at 3:46 PM, Andy Ruch <adruch2002@xxxxxxxxx> wrote: > > > > > ----- Original Message ----- >> From: Chad Hanson <dahchanson@xxxxxxxxx> >> To: Andy Ruch <adruch2002@xxxxxxxxx> >> Cc: Christopher J. PeBenito <cpebenito@xxxxxxxxxx>; SELinux ML <selinux@xxxxxxxxxxxxx> >> Sent: Friday, April 26, 2013 9:16 AM >> Subject: Re: SELinux errors with pam_faillock >> >> I think the bigger issue with your question on sudo and newrole is >> what have you done to get into the system without already creating >> faillog files for the current user. Both sudo and newrole are only >> authenticating the existing user. There is a problem in su.if that it >> needs manage instead of rw since you are changing to a different user >> which may not yet have a faillog entry as I would understand this >> process. Also, there is also a missing block to read the cracklib >> dictionaries in the sudo.if file. >> > > To my knowledge, the files in /var/run/faillock are created when an error (wrong password) occurs during user authentication, not when the user logs in. Are you saying the files should always be created, even on logon? > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
