3

I am working with a CentOS7 minimal install. I configured pam_radius with pam_script and was always able to ssh to the server using pubkey auth: that was on purpose. But after hardening the server according to STIG guide (a comprehensive walkthrough can be found here) I was no longer able to SSH into the system; or more acculturately I would login then get kicked out immediately. The error in the /var/log/secure file said:

sshd[5589]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session

Disabling selinux, as is par for the course, resolved the issue. But obviously that is not an acceptable resolution.

Improve this question

1 Answer 1

Reset to default
3

Some people would obviously accept disabling selinux, or setting it to permissive as the answer; but then there will always be a few snarky linux gurus who will chime in with the words, "stop disabling selinux!" BUT THAT IS ALL THEY WILL SAY! Quit telling people to "stop disabling selinux" UNLESS YOU ALSO TELL THEM THE SOLUTION!

Well I found the solution to this one, and since I could not easily find it anywhere on the internet, I will post it here. I followed the Red Hat guide, found here.

I would wager that most people aren't aware of the tool audit2allow. It's a life saver. I used it to easily create a loadable selinux module and it resolved my issue, so I didn't have to disable selinux. I basically just went through the steps of connecting via SSH in while running the audit2allow tool, then it automagically created the module. I then loaded the module, rebooted, and all is well.

audit2allow -a -M mycertwatch

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp
Improve this answer
4
  • 2
    Creating a custom module that allows everything is not ideal. You should instead attempt a login the. use ausearch -m avc -ts recent to get the audit AVCs from the past 5 minutes, and pipe that to audit2allow -m mycertwatch. This will simply print out the rules and definitions that go into creating the module, instead of creating it. Replace the lower case “m” with a capital “M” to create the module. Commented Jun 7, 2019 at 0:49
  • 1
    You also should temporarily use permisssive mode to catch all the AVCs. For example, SELinux might block a stat() operation, and your module would allow it, but if the code also open()s the file after stat()ing it, your new policy module will not allow it. Commented Jun 7, 2019 at 0:51
  • Thanks for that. I'll be sure to take care when using the tool. Commented Jun 8, 2019 at 1:10
  • Note the above still may not catch everything. Rules can also have "dontaudit" annotations, which cause them not to appear in the logs (since it could get very spammy). But sometimes it's good to see such log entries. For that, use semodule -DB, then semodule -B later to revert back to the "dontaudit" behaviour. Commented Nov 9, 2022 at 1:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.