MOTP with SELinux

MOTP is a Mobile One Time Password tool that enable you to login remotely with maximum security. If you have a large environment, then use MOTP on a radius server for centralized administration. I only have a few servers, so PAM is easier to setup. Testing went well, but when I tried to enable it in production. SELinux block the access.

So here is the SELinux module to enable motp with SSH on RHEL6 beta beside other instructions in the setup.

module motp 1.0;
require {
     type chkpwd_t;
     type unconfined_t;
     type var_t;
     type sshd_t;
     class process { siginh noatsecure rlimitinh };
     class file { read write getattr open };
}
allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
allow sshd_t unconfined_t:process { siginh noatsecure };
allow sshd_t var_t:file { read write getattr open };

I have to admit RedHat did a great job with SELinux in RHEL6. The following new features make sysadmin of SELinux much easier.

• To temporarily disable dontaudit rules
• Making a Domain Permissive
• Really good documentation at here (still beta)