Centos 6, pam_smbpass and selinux

Tim Young Tim.Young at LightSys.org
Tue Jul 16 12:09:32 MDT 2013

I had googled all over creation and did not find an answer, but since 
I finally found it, I thought I would post it somewhere.  And this 
seemed to be the best spot.

On Centos 6, we set up pam_smbpass migrate, and would perpetually get 
a "failed to add entry for user [user]" message  when we would login.
If we set selinux to permissive, it would work just fine.
But with selinux in enforcing mode, it would be blocked.  And the 
thing that drove me nuts was that there was no audit log telling me 
what the problem was.

We ended up doing a:
# semodule -D -B
which temporarily disables the selinux rules that do a "do not log" 
block.  The block still happens, but they are logged.
Then, we were able to use sealert to see that there was a problem.
# sealert -a /var/log/audit/audit.log | less
Sealert told us to generate a rule by running:
# grep login /var/log/audit.log | audit2allow -m pam_smbpass
# semodule -i pam_smbpass.pp
It worked after that.  Yay!

The pam_smbpass.te file it generated for me was:

/module pam_smbpass 1.0;//
//require {//
//        type chkpwd_t;//
//        type unconfined_t;//
//        type local_login_t;//
//        type samba_var_t;//
//        type getty_t;//
//        class process { siginh noatsecure rlimitinh };//
//        class file write;//
//#============= getty_t ==============//
//allow getty_t local_login_t:process { siginh rlimitinh noatsecure };//
//#============= local_login_t ==============//
//allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };//
//allow local_login_t samba_var_t:file write;//
//allow local_login_t unconfined_t:process { siginh noatsecure };//

More information about the samba-technical mailing list