I have a RHEL 6.0, and I configured pam_exec to run a custom authentication method through a bash script. If SE Linux is disabled everything works as expected, but when I enable SELinux I get a permission denied error when pam_exec tries to execute the script. How can I tell SELinux to allow this script to be executed when a user tries to log in?
/etc/pam.d/password-auth
auth sufficient pam_exec.so expose_authtok seteuid /opt/myscript.sh
audit.log
type=AVC msg=audit(1496962765.610:24707): avc: denied { execute } for pid=7476 comm="gdm-session-wor" name="myscript.sh" dev=dm-0 ino=21416 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
Best Answer
The script has a different security context that doesn't allow pam_exec to run it. The pam_exec process is running with context
system_u:system_r:xdm_t:s0-s0:c0.c1023
whereas the script has a context ofunconfined_u:object_r:usr_t:s0
.You'll need to change the script type to allow pam_exec to run it; e.g. via
chcon -t xdm_t script_name
(you may have to change other file attributes/ownership to allow pam_exec to run the script).That should allow you to test the script, though you may have to change the type back if you need to run the script yourself. The change won't survive reboots or filesystem relabels though; for that, you'll need to run
/usr/sbin/semanage fcontext -a -t xdm_t /full/path/to/script
to record the change.