SELinux with omarine policy: Allowing a guest user to login without a password

We have Omarine with SELinux in enforcing mode. This is a favorable condition for us to allow a user to login without entering a password. That user is only allowed to login in enforcing mode, otherwise, is denied to login in the permissive mode. Therefore this feature is only available in an SELinux system that operates in enforcing mode like Omarine. This is understandable because enforcing mode is more secure to apply such a feature.
This feature is not of SELinux itself but of the Linux-PAM package that has SELinux awareness. This is done by the PAM module pam_sepermit.
To allow a user to login via gdm without entering a password, add the following rule at the beginning of the /etc/pam.d/gdm-password PAM service file:

auth      [success=done ignore=ignore default=bad]

Then add the username to the configuration file /etc/security/sepermit.conf. You can select an existing user or create an additional user account, such as guest by running this command, as the root user:

useradd -m -G users,video guest

Below is an example of adding the guest username to the configuration file (as the root user):

echo guest >> /etc/security/sepermit.conf

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.