Red Hat Bugzilla – Bug 293181
pam_unix should user helper apps first, check shadow second.
Last modified: 2007-11-30 17:12:15 EST
Description of problem:
pam_unix currently defaults to checking for read access on /etc/shadow and then
fails over to using the helper applications. This causes us to have to add
dontaudit DOMAIN shadow_t:file r_file_perms lines to every app that uses pam.
This prevents us from actually realizing whether a domain is tring to steal the
Making this change would allow us to remove the dontaudit rule.
The code should try to execute the helper apps and if it fails to be able to
execute them (File does not exist, file is not executable), failover to using
Fixed in pam-0.99.8.1-7.fc8
I don't try to read /etc/shadow directly when helper fails as the helper is
always installed and reading /etc/shadow doesn't make sense. But the helper is
executed only when selinux is enabled.