Skip to content

Commit

Permalink
Allow sudodomain read var auth files
Browse files Browse the repository at this point in the history 
This permission is required when pam is configured to use files
in the /var/auth directory with var_auth_t type, e. g. pam_securid
using RSA authentication as a part of the pam stack.
The failure is reported in journal as:
[...] sudo: PAM unable to dlopen(/usr/lib64/security/pam_securid.so): /var/ace/lib/64bit/libpamrest.so: cannot open shared object file: Permission denied

Resolves: RHEL-16708
  • Loading branch information
@zpytela
zpytela committed Nov 27, 2023
1 parent eba81d0 commit 93e012e
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/admin/sudo.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ term_use_ptmx(sudodomain)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid(sudodomain)
auth_manage_faillog(sudodomain)
auth_read_var_auth(sudodomain)
auth_rw_lastlog(sudodomain)

application_signal(sudodomain)
Expand Down

0 comments on commit 93e012e

Please sign in to comment.