https://bugzilla.redhat.com/show_bug.cgi?id=1283296
--- Comment #17 from Seth Jennings <spartacus06(a)gmail.com> ---
Sorry for the delayed reply.
(In reply to Georg Sauthoff from comment #16)
I've tested it on Fedora 23 and it doesn't work with SELinux
set to enforce
(the default setting).
Only after executing
semanage permissive -a local_login_t
the module worked.
Also, a Fedora specific README would be helpful - i.e. one where it is
described what files you have to change in what way.
Yes, a Fedora README would be a good idea.
For example, I wanted to configure U2F as 2nd factor in addition to password
authentication - for locale console logins and gnome shell (including
unlocking a locked screen). I've managed to do that via adding this line
before the `auth ... pasword-auth` line in /etc/pam.d/{login,gdm-password}:
auth requisite pam_u2f.so debug authfile=/etc/u2f_mappings interactive
(and filling /etc/u2f_mappings with output from pamu2fcfg)
In addition to that, the Fedora README could also mention pamu2fcfg.
More SELinux details:
The SELinux audit messages looked like this (before executing semanage
permissive):
type=AVC msg=audit(1452281803.756:2262): avc: denied { read } for
pid=11098 comm="login" name="c248:0" dev="tmpfs" ino=14836
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.756:2263): avc: denied { read } for
pid=11098 comm="login" name="c248:1" dev="tmpfs" ino=14839
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.757:2264): avc: denied { read } for
pid=11098 comm="login" name="c248:2" dev="tmpfs"
ino=894548
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.757:2265): avc: denied { read } for
pid=11098 comm="login" name="c248:3" dev="tmpfs"
ino=895813
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.758:2266): avc: denied { read } for
pid=11098 comm="login" name="c248:4" dev="tmpfs"
ino=894573
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.758:2267): avc: denied { read } for
pid=11098 comm="login" name="c248:5" dev="tmpfs"
ino=910340
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.759:2268): avc: denied { read } for
pid=11098 comm="login" name="c248:6" dev="tmpfs"
ino=908284
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
I didn't try to use it for console logins so it seems there is an selinux
policy issue there. I'll check it out.
The tool audit2allow suggests:
#============= local_login_t ==============
allow local_login_t udev_var_run_t:file read;
Thanks for the testing!
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component