PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth

PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth

[Justin P. Mattock]

Hello;
after loading the latest policycoreutils
I'm experiencing a bit of difficulties trying
to understand how to set:
/etc/selinux/newrole_pam.conf
(what do I put in there?)
I have: /usr/bin/aterm /etc/pam.d/test
in there, and in 
/etc/pam.d/test I have:
auth required /lib/security/pam_unix.so

but, unfortunantly receive a no password error 
when wanting to change roles.

after looking at auth.log I see a:
newrole: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth

If I make: /etc/pam.d/system-auth
newrole will work perfectly until
I go and write the allow rules,
and put the policy into enforcing mode.

What or were do I find the info on what
to put in /etc/selinux/newrole_pam.conf
and so forth to have this new way 
for newrole work?

regards;

-- 
Justin P. Mattock <justinmattock@gmail.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth

[Xavier Toth]

On Sat, Nov 29, 2008 at 7:25 PM, Justin P. Mattock
<justinmattock@gmail.com> wrote:
> Hello;
> after loading the latest policycoreutils
> I'm experiencing a bit of difficulties trying
> to understand how to set:
> /etc/selinux/newrole_pam.conf
> (what do I put in there?)
> I have: /usr/bin/aterm /etc/pam.d/test
> in there, and in
> /etc/pam.d/test I have:
> auth required /lib/security/pam_unix.so
>
> but, unfortunantly receive a no password error
> when wanting to change roles.
>
> after looking at auth.log I see a:
> newrole: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
>
> If I make: /etc/pam.d/system-auth
> newrole will work perfectly until
> I go and write the allow rules,
> and put the policy into enforcing mode.
>
> What or were do I find the info on what
> to put in /etc/selinux/newrole_pam.conf
> and so forth to have this new way
> for newrole work?
>
> regards;
>
> --
> Justin P. Mattock <justinmattock@gmail.com>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

man newrole

newrole_pam.conf contains mappings of applications to pam
configuration files to be used. Each line contains the executable file
name followed by the name of a pam config file that exists in
/etc/pam.d.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth

[Justin P. Mattock]

On Sun, 2008-11-30 at 10:58 -0600, Xavier Toth wrote:
> On Sat, Nov 29, 2008 at 7:25 PM, Justin P. Mattock
> <justinmattock@gmail.com> wrote:
> > Hello;
> > after loading the latest policycoreutils
> > I'm experiencing a bit of difficulties trying
> > to understand how to set:
> > /etc/selinux/newrole_pam.conf
> > (what do I put in there?)
> > I have: /usr/bin/aterm /etc/pam.d/test
> > in there, and in
> > /etc/pam.d/test I have:
> > auth required /lib/security/pam_unix.so
> >
> > but, unfortunantly receive a no password error
> > when wanting to change roles.
> >
> > after looking at auth.log I see a:
> > newrole: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
> >
> > If I make: /etc/pam.d/system-auth
> > newrole will work perfectly until
> > I go and write the allow rules,
> > and put the policy into enforcing mode.
> >
> > What or were do I find the info on what
> > to put in /etc/selinux/newrole_pam.conf
> > and so forth to have this new way
> > for newrole work?
> >
> > regards;
> >
> > --
> > Justin P. Mattock <justinmattock@gmail.com>
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >
> 
> man newrole
> 
> newrole_pam.conf contains mappings of applications to pam
> configuration files to be used. Each line contains the executable file
> name followed by the name of a pam config file that exists in
> /etc/pam.d.

Thanks for the help with this.
(I'll have a look in the manual).
What about setting pam_namespace
i.g. does this have to be set correctly
to acquire the right capability, or does it
not matter if you have namespace or not?

regards;

-- 
Justin P. Mattock <justinmattock@gmail.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth

[Justin P. Mattock]

On Sun, 2008-11-30 at 10:58 -0600, Xavier Toth wrote:
> On Sat, Nov 29, 2008 at 7:25 PM, Justin P. Mattock
> <justinmattock@gmail.com> wrote:
> > Hello;
> > after loading the latest policycoreutils
> > I'm experiencing a bit of difficulties trying
> > to understand how to set:
> > /etc/selinux/newrole_pam.conf
> > (what do I put in there?)
> > I have: /usr/bin/aterm /etc/pam.d/test
> > in there, and in
> > /etc/pam.d/test I have:
> > auth required /lib/security/pam_unix.so
> >
> > but, unfortunantly receive a no password error
> > when wanting to change roles.
> >
> > after looking at auth.log I see a:
> > newrole: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
> >
> > If I make: /etc/pam.d/system-auth
> > newrole will work perfectly until
> > I go and write the allow rules,
> > and put the policy into enforcing mode.
> >
> > What or were do I find the info on what
> > to put in /etc/selinux/newrole_pam.conf
> > and so forth to have this new way
> > for newrole work?
> >
> > regards;
> >
> > --
> > Justin P. Mattock <justinmattock@gmail.com>
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >
> 
> man newrole
> 
> newrole_pam.conf contains mappings of applications to pam
> configuration files to be used. Each line contains the executable file
> name followed by the name of a pam config file that exists in
> /etc/pam.d.

"shit", right under my nose!!
newrole -r user_r -- -c /usr/bin/aterm /etc/pam.d/*
works. 

-- 
Justin P. Mattock <justinmattock@gmail.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.