PAM issue for apache user

After a user logs in with Dex, the following error is displayed in the browser at pun/sys/dashboard where I get redirected.

Error -- sudo: PAM account management error: Permission denied
sudo: unable to open audit system: Permission denied
sudo: a password is required

In the journald logs I find these lines repeated multiple times, where EDITED is the public IP.

apache : PAM account management error: Permission denied ; PWD=/ ; USER=root ; COMMAND=/opt/ood/nginx_stage/sbin/nginx_stage pun -u lauri -a https%3a%2f%2f<EDITED>%3a443%2fnginx%2finit%3fredir%3d%24http_x_forwarded_escaped_uri

Notably, if I run it “manually” it works and lets the user in.

sudo -u apache sudo /opt/ood/nginx_stage/sbin/nginx_stage pun -u lauri -a https%3a%2f%2f<EDITED>%3a443%2fnginx%2finit%3fredir%3d%24http_x_forwarded_escaped_uri

Which is weird since I can confirm this is in place and all from the PAM configuration seems to work.

[root@controller0 ~]# grep apache /etc/sudoers.d/ood
Defaults:apache !requiretty, !authenticate
Defaults:apache env_keep += "NGINX_STAGE_* OOD_*"
apache ALL=(ALL) NOPASSWD: /opt/ood/nginx_stage/sbin/nginx_stage
[root@controller0 ~]#

My setup on Rocky Linux 8.10 has both UNIX local users (among which apache) and LDAP users in FreeIPA (among which lauri).

I have been trying to fix this for a day already. Does anyone have ideas on what could be wrong?

By setting SELinux to permissive mode, it suddenly works.

sudo setenforce 0

By doing this I could not only confirm it’s on SELinux, but also see where the problems lay. One of the many errors that Setroubleshoot logs to journald is the following, that clearly caused the issue.

SELinux is preventing /usr/bin/sudo from nlmsg_relay access on the netlink_audit_socket labeled httpd_t.

I guess I will write some custom policies hoping to get it to work without the need to globally disable SELinux.

Glad to hear you got it sorted.

Yea the SELinux is largely community driven. If you can supply the patch we’ll happily review it and update the policy we distribute.

My solution was to set SELinux to enforcing for a specific type.

semanage permissive -a ood_pun_t

As well as some booleans needed especially for applications such as launching a desktop session.
These may however be already managed by the ondemand-selinux package so I only put them here for reference.

setsebool -P httpd_mod_auth_pam 1
setsebool -P httpd_read_user_content 1
setsebool -P ondemand_manage_user_home_dir 1
setsebool -P domain_can_mmap_files 1

Alongside it I developed some policies that, since I had not installed ondemand-selinux initially, were written in a very casual manner and are all but granular. Sadly. I will still paste it below.

module my-httpd 1.3;

require {
    type httpd_t;
    type unconfined_t;
    type var_run_t;
    type httpd_tmp_t;
    type user_tmp_t;
    type ood_apps_public_t;
    class unix_stream_socket connectto;
    class sock_file { create open write read ioctl getattr setattr };
    class fifo_file { create open write read ioctl getattr setattr unlink link };
    class file { create open write read ioctl getattr setattr rename unlink link };
}

#============= httpd_t ==============
allow httpd_t unconfined_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file { create open write read ioctl getattr setattr };
allow httpd_t httpd_tmp_t:fifo_file { create open write read ioctl getattr setattr unlink link };
allow httpd_t user_tmp_t:file { create open write read ioctl getattr setattr rename unlink link };
allow httpd_t ood_apps_public_t:file { create open write read ioctl getattr setattr rename unlink link };

Not much, but honest SELinux firefighting.