Review of yubikey selinux policy
William Brown
william at firstyear.id.au
Thu Mar 27 22:05:49 UTC 2014
Hi,
The current policy for yubikeys only takes into account the otp
functions. In addition, the pam module supports a local challenge
response mode.
I have attached a patch to allow chap to work for yubikeys with selinux
enabled. To note is that I have added a auth_home_rw_t type, as the pam
module reads from ~/.yubico/challenge-<tokenid> and then rewrites it
with a new challenge after the attempt.
I would like to especially ask that the section for the chap tunable
policy be reviewed. In my testing, it seemed that login_pgm wasn't
sufficient, as staff_sudo_t didn't seem to be covered by this which is
why I have added the sudodomain components. I would like to know if
there is a better way to resolve this.
Sincerely,
--
William Brown <william at firstyear.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yubikey_chap.patch
Type: text/x-patch
Size: 3828 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140328/34c39623/attachment.bin>
More information about the selinux
mailing list