SELinux + pam_ldap + sudo

Marti, Robert RJM002 at shsu.edu
Thu Feb 17 16:31:42 UTC 2011


> Le 17/02/2011 15:22, Marti, Robert a écrit :
> > That doesn't seem like SELinux is interfering, it seems like an issue
> > contacting the ldap server. If it was an SELinux issue there would be
> > avc denials in /var/log/messages and Permissive mode would not block
> > anything.
> 
> As I said in my first message : "pam_ldap is correctly configured : I can
> perform an authentication on a ssh connection".
> 
> So there is absolutely no problem contacting the LDAP server : I have a user
> account with no password and I can open a ssh session on this server using
> my LDAP credentials...

SELinux is good about one thing - it logs excessive amounts of information when it "interferes" with something.
If you don't have any SELinux errors logged in /var/log/messages (or /var/log/audit/audit.log) SELinux isn't interfering, at all.
If you're still convinced it's SELinux, disable it and see (requires a reboot).  If it magically works, I'd love to see ls -lZ /etc/pam.d/s* and any AVCs in /var/log/messages.
 
> I really think that's a SELinux issue misreporting an LDAP problem... I had the
> same problem with a fresh install of RHEL6 and SELinux activated
> : I could not make Kerberos/SSH keyts to work.
> 

That sounds like a file labeling issue - not a SELinux one.  Again, AVCs would/should help you figure it out.




More information about the redhat-list mailing list