Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
14.1.0, 14.1.0.1
Fixed In:
15.0.0, 14.1.0.2
Opened: Dec 19, 2018 Severity: 3-Major
When you run /bin/passwd as root you get an error: passwd.bin: unable to start pam: Critical error - immediate abort Failed to change user's password. Exiting. If you then run /bin/ausearch -m avc -ts recent, you see a lot of selinux denials for passwd.bin.
Root/admin user cannot change password using the standard /bin/passwd executable.
No special conditions needed
The workaround would be to disable selinux, change the password and re-enable selinux: # setenforce Permissive # passwd # setenforce Enforcing Alternatively, you can use the tmsh commands to change the passwords: tmsh modify auth password root Lastly, if you want to modify the selinux policy, this is the standard way of doing it: # ausearch -c passwd.bin --raw | audit2allow -M mypasswd # semoduile -i mypasswd.pp
With fix, BIG-IP has no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.