Enforcing SELinux

Create a policy and ensure that PAM works when SELinux is set to enforcing:

Check that the following packages are installed on Oracle Linux:

rpm -q selinux-policy-targeted policycoreutils libselinux-utils libselinux-python libselinux

Note:

When you change the SELinux mode from Permissive or Disabled to Enforcing, then you must reboot.

1. If necessary, install these packages on Oracle Linux:

   rpm -q selinux-policy-targeted policycoreutils libselinux-utils libselinux-python libselinux

2. Allow outbound communication on 443:

   $ sudo setsebool -P nis_enabled 1
   ++

3. Create a local policy so that sssd_t can create opc dir to create, and read and write to the pam_nss.log file (which is mentioned in /etc/opc.conf). It doesn't need to located in a specific location because it is compiled by the SELinux utilities.
   1. Create the policy file:

      $cat my-sssdbe.te
      module my-sssdbe 1.0;
      require
      
      { type sssd_t; type var_log_t; type cert_t; type user_home_dir_t; class file
      { open read write }
      
      ;
      class dir { create write };
      } #============= sssd_t ============== #
      !!!! This avc is allowed in the current policy allow sssd_t cert_t:file write;
      allow sssd_t user_home_dir_t:dir write;
      allow sssd_t var_log_t:dir create;
      allow sssd_t var_log_t:file { open read };

4. Run:

   $ semodule -i my-sssdbe.pp

5. Run:
   $ls my-sssdbe.pp my-sssdbe.te
6. Finally, authenticate the PAM user again.
   The /opc dir and /opc/pam_nss.log file are created.