On 03/27/2014 11:05 PM, William Brown wrote:

The current policy for yubikeys only takes into account the otp
functions. In addition, the pam module supports a local challenge
response mode. 

I have attached a patch to allow chap to work for yubikeys with selinux
enabled. To note is that I have added a auth_home_rw_t type, as the pam
module reads from ~/.yubico/challenge-<tokenid> and then rewrites it
with a new challenge after the attempt. 

I would like to especially ask that the section for the chap tunable
policy be reviewed. In my testing, it seemed that login_pgm wasn't
sufficient, as staff_sudo_t didn't seem to be covered by this which is
why I have added the sudodomain components. I would like to know if
there is a better way to resolve this. 


selinux mailing list
Looks OK. Basically we can place the boolean also to the sudo policy module.

Could we stay only with  "authlogin_yubikey" boolean?