[Bug 1283296] Review Request: pam-u2f - PAM authentication over U2F

bugzilla at redhat.com bugzilla at redhat.com
Fri Jan 8 20:13:22 UTC 2016 

https://bugzilla.redhat.com/show_bug.cgi?id=1283296



--- Comment #16 from Georg Sauthoff <fedora at georg.so> ---
I've tested it on Fedora 23 and it doesn't work with SELinux set to enforce
(the default setting).

Only after executing

semanage permissive -a local_login_t

the module worked.

Also, a Fedora specific README would be helpful - i.e. one where it is
described what files you have to change in what way.

For example, I wanted to configure U2F as 2nd factor in addition to password
authentication - for locale console logins and gnome shell (including unlocking
a locked screen). I've managed to do that via adding this line before the `auth
... pasword-auth` line in /etc/pam.d/{login,gdm-password}:

auth requisite pam_u2f.so debug authfile=/etc/u2f_mappings interactive

(and filling /etc/u2f_mappings with output from pamu2fcfg)

In addition to that, the Fedora README could also mention pamu2fcfg.

More SELinux details:

The SELinux audit messages looked like this (before executing semanage
permissive):

type=AVC msg=audit(1452281803.756:2262): avc:  denied  { read } for  pid=11098
comm="login" name="c248:0" dev="tmpfs" ino=14836
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.756:2263): avc:  denied  { read } for  pid=11098
comm="login" name="c248:1" dev="tmpfs" ino=14839
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.757:2264): avc:  denied  { read } for  pid=11098
comm="login" name="c248:2" dev="tmpfs" ino=894548
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.757:2265): avc:  denied  { read } for  pid=11098
comm="login" name="c248:3" dev="tmpfs" ino=895813
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.758:2266): avc:  denied  { read } for  pid=11098
comm="login" name="c248:4" dev="tmpfs" ino=894573
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.758:2267): avc:  denied  { read } for  pid=11098
comm="login" name="c248:5" dev="tmpfs" ino=910340
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1452281803.759:2268): avc:  denied  { read } for  pid=11098
comm="login" name="c248:6" dev="tmpfs" ino=908284
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0


The tool audit2allow suggests:

#============= local_login_t ==============
allow local_login_t udev_var_run_t:file read;

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component

More information about the package-review mailing list