SELinux with omarine policy: Allowing a guest user to login without a password


We have Omarine with SELinux in enforcing mode. This is a favorable condition for us to allow a user to login without entering a password. That user is only allowed to login in enforcing mode, otherwise, is denied to login in the permissive mode. Therefore this feature is only available in an SELinux system that operates in enforcing mode like Omarine. This is understandable because enforcing mode is more secure to apply such a feature.
This feature is not of SELinux itself but of the Linux-PAM package that has SELinux awareness. This is done by the PAM module pam_sepermit.
To allow a user to login via gdm without entering a password, add the following rule at the beginning of the /etc/pam.d/gdm-password PAM service file:

auth      [success=done ignore=ignore default=bad]

Then add the username to the configuration file /etc/security/sepermit.conf. You can select an existing user or create an additional user account, such as guest by running this command, as the root user:

useradd -m -G users,video guest

Below is an example of adding the guest username to the configuration file (as the root user):

echo guest >> /etc/security/sepermit.conf

Currently unrated


There are currently no comments

New Comment


required (not published)



What is 10 - 6?