Working an issue here, we uncovered that PAM is checking the wrong SELinux permission in the pam_rootok module; it checks the passwd permission instead of the rootok permission. This issue was reported earlier this year[1] but no action has been taken. This has been around since early 2013, when the code was changed from the old checkPasswdAccess() to selinux_check_access(), but an impact to users would be rare since most domains that have the rootok permission also have the passwd permission. [1] https://fedorahosted.org/linux-pam/ticket/37 diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index 70579e5..88bed0c 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -106,7 +106,7 @@ selinux_check_root (void) return status; } - status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); + status = selinux_check_access(user_context, user_context, "passwd", "rootok", NULL); selinux_set_callback(SELINUX_CB_LOG, old_callback); freecon(user_context); -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
