SELINUX = enforcing, We have a custom PAM service module for MFA based application failing to create a new user and adding to a group and doing password sync using the "not listed" option through the login screen in RHEL8.5 and RHEL 8.9 in Enforcing mode

[Mahaboob-Aslam]

Hostname :

localhost.localdomain

OS:

RHEL-8.5 and RHEL-8.9

Description:

We have a custom PAM service module for MFA based application failing to create a new user and adding to a group and doing password sync using the "not listed" option through the login screen in RHEL8.x. When "SELinux=enforcing" in /etc/selinux/config file. For creating a new user "useradd" command and adding it to a group and latter doing password sync is being used in the code. When UPS is enabled in Enforcement mode of SELinux.

It was working fine, till we didnt add the RedHat-subscription. The problem started after adding the subscription.
To resolve this issue, we removed all the policy package files and took the logs avc denied logs using the command.

"ausearch -m avc -ts recent > denailesenforcing.log" and "ausearch -m avc -ts recent > notlisteddenialsenforcing.log"
the above logs were collected in RHEL 8.9 environment.

With these logs, I have built the .te files and build the respective .pp files.

Used the following commands to generate the .pp files:

1. cat denailesenforcing.log | audit2allow -m denailesenforcing > denailesenforcing.te
2. sudo checkmodule -M -m -o denailesenforcing.mod denailesenforcing.te
3. semodule_package -o denailesenforcing.pp -m denailesenforcing.mod

In RHEL 8.5 OS:

On installation these files i am able to do Create user and login through the "notlisted" option in UI in the same session of RHEL 8.5 and also able to do ssh logins and create a user using ssh-ups logins in Permissive mode

Where as in Enforcing mode, i not able to Create user and login through the "notlisted" options in UI in the same session of RHEL8.5, whereas ssh and ssh-ups are working fine.

In RHEL 8.9 OS:

Using the above .pp files created, i am able to do Create user and but not able to login through the "notlisted" option in UI in the same session of RHEL 8.9 and also able to do ssh logins and create a user using ssh-ups logins in permissive mode.

Where as in Enforcing mode i not able do Create user and login through the "notlisted" options in UI of RHEL8.9, whereas ssh and ssh-ups are working fine. For your reference i am sending the .log files and related .te files attached to the case.

And please let me know why this is failing to Create login in permissive mode of RHEL 8.9 after creating a user.

And since it was not allowing me to login for existing user in enforcing mode, i had to use the exiting passwd_policy.pp files to overcome the issue.

Since i dont have the .log and .te file related to the passwd_policy.pp, i am sending it along the log and te files attached for your reference.

Please help me out what i need to do in the enforcing mode of both Rhel 8.5 and 8.9 version to create a user and login using the "notlisted" option through UI, and if possible please correct the .te files based on the .log files so that i can create a user and login into the system in one session in Enforcing mode.
LogsTE-files.zip

Regards
Aslam