Adam Bishop wrote:
I suspect the problem here is either SELinux or the shadow group not existing.
Quote possibly.
RHEL doesn't have a shadow group by default - as it's a nasty hack and potential source of vulnerability, you're expected to have the sense to create it yourself if its needed.
That's unfriendly. Oh well.
It's also tagged with a unique policy type:
[root@orps1 ~]# ls -alZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
Which I *think* would cause an AVC denial.
Yes.
Then there's the small matter of /etc/shadow having no permission mask by default.
Arg. That's Unix 101 debugging, TBH. Track down the root cause of the problem, and fix it.
But someone who's been doing this for a long time would have checked such things, or even provided us with the output of strace, right? :)
Yes. The people who claim decades of experience usually don't follow standard practices. The people who have decades of experience just get follow standard practice, and things done. Alan DeKok.