3

After updating PAM secure log started showing: 

su: PAM unable to dlopen(/lib64/security/pam_rootok.so): /lib64/security/pam_rootok.so: undefined symbol: selinux_check_access
su: PAM adding faulty module: /lib64/security/pam_rootok.so

Given the name of the file this seems like a serious concern, but I can't find any information about the error. I don't let anyone log onto this server so I'm not trying to protect against local users, but I still want PAM to work properly against anyone who has gained unauthorized access.

Edit: pam_rootok.so does exist and its permissions are the same as the other files under /lib64/security. Also su seems to work since I can still move from non-root users to root.

JMC
  • 506
  • 6
  • 23

1 Answers1

3

The key bit of the error is

undefined symbol: selinux_check_access

This symbol should be in /lib64/libselinux.so.1. You might want to check that file is present, readable and has a good checksum.

Flup
  • 7,978
  • 2
  • 32
  • 43
  • Thanks, the file does exist with proper permissions. I understand checksums, but what's a good way to find the correct checksum for that file? – JMC Aug 29 '14 at 15:12
  • I'll leave that for someone who knows centos... might also be worth checking the output of `ldd /lib64/security/pam_rootok.so` to see what libraries it loads dynamically in case it's looking elsewhere. – Flup Aug 29 '14 at 15:13
  • 1
    You can `yum provides /lib64/libselinux.so.1` to find the package providing this file then `rpm -V ` to verify the package. If SELinux is enabled, make sure it is not denying access to the file, etc. – Aaron Copley Aug 29 '14 at 16:35
  • @AaronCopley: Thanks, that's good information to get me started. – JMC Aug 29 '14 at 17:21