SELinux with omarine policy: Allowing a guest user to login without a password


(0 comments)

We have Omarine with SELinux in enforcing mode. This is a favorable condition for us to allow a user to login without entering a password. That user is only allowed to login in enforcing mode, otherwise, is denied to login in the permissive mode. Therefore this feature is only available in an SELinux system that operates in enforcing mode like Omarine. This is understandable because enforcing mode is more secure to apply such a feature.
This feature is not of SELinux itself but of the Linux-PAM package that has SELinux awareness. This is done by the PAM module pam_sepermit.
To allow a user to login via gdm without entering a password, add the following rule at the beginning of the /etc/pam.d/gdm-password PAM service file:


auth      [success=done ignore=ignore default=bad] pam_sepermit.so


Then add the username to the configuration file /etc/security/sepermit.conf. You can select an existing user or create an additional user account, such as guest by running this command, as the root user:


useradd -m -G users,video guest


Below is an example of adding the guest username to the configuration file (as the root user):


echo guest >> /etc/security/sepermit.conf



Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 6 × 9?

required