Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-51676: Error, failed to execute /bin/cdax/bash: operation not permitted, when trying to login to a system with a STIG security policy

Authentication Service ,  

26 April,21 at 08:35 PM

Problem:  

On a RHEL based system where a STIG has been implemented and where Centrify DirectAudit is also installed with the CentrifyDC agent, when trying to login to system or when logged in as root and trying to su to another user, it fails with the following error:
 
failed to execute /bin/cdax/bash: operation not permitted


Cause:

The STIG requirement for "fapolicyd" is causing the issue and appears to be blocking Centrify related paths and commands.


Resolution:

The fapolicyd can be set to permissive, disabled, or updated to include Centrify file paths and then restart CentrifyDC.
 
  • To set to fapolicyd to permissive:
    • As root or root equivalent user, edit the /etc/fapolicyd/fapolicyd.conf, and set permissive=1, save file and then reload fapolicyd using system commands, systemctl restart fapolicyd
 
  • To add the Centrify file paths to the fapolicyd, the fapolicyd-cli utility can be used with options similar to below, run as root or root equivalent user:
    • fapolicyd-cli --file add <path to file>
 
For example: 
fapolicyd-cli --file add /bin/cdax/
fapolicyd-cli --file add /usr/share/centrifydc/
 
  • Then run fapolicyd-cli --update
 
  • To disable the fapolicyd, as root or root equivalent user, use system commands 
    • systemctl stop fapolicyd
    • systemctl disable fapolicyd
 
  • Restart CentrifyDC agent.  
    • /usr/share/centrifydc/bin/centrifydc restart

Please contact RedHat for further support for questions and recommendations on fapolicyd and how to modify the fapolicyd settings.

 
Note:
 
If fapolicyd is enabled without any of the above changes after non-root user is logged in to the system, library errors may also be seen when trying to run Centrify commands.

For more information, see Knowledge Base Article: 
KB-50826: libeda.so.0 Cannot Open Shared Object File