Symptoms
When you run /bin/passwd as root you get an error:
passwd.bin: unable to start pam: Critical error - immediate abort
Failed to change user's password.
Exiting.
If you then run /bin/ausearch -m avc -ts recent, you see a lot of selinux denials for passwd.bin.
Impact
Root/admin user cannot change password using the standard /bin/passwd executable.
Conditions
No special conditions needed
Workaround
The workaround would be to disable selinux, change the password and re-enable selinux:
# setenforce Permissive
# passwd
# setenforce Enforcing
Alternatively, you can use the tmsh commands to change the passwords: tmsh modify auth password root
Lastly, if you want to modify the selinux policy, this is the standard way of doing it:
# ausearch -c passwd.bin --raw | audit2allow -M mypasswd
# semoduile -i mypasswd.pp
Fix Information
With fix, BIG-IP has no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.
