Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831893 - sys-auth/pam_u2f-1.1.1: authentifaction failes with SELinux
Summary: sys-auth/pam_u2f-1.1.1: authentifaction failes with SELinux
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-23 10:44 UTC by Christian Apeltauer
Modified: 2022-01-23 17:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
emerge --info pam_u2f (info,6.80 KB, text/plain)
2022-01-23 10:44 UTC, Christian Apeltauer 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Apeltauer 2022-01-23 10:44:05 UTC 
Authentifcation with YubiKey 5C NFC fails when SELinux is in enforcing mode. In permissive mode authentification works fine, but in enforcing mode the cue message is never displayed and authentification fails. The problem seems to be access rights to the tmpfs mounted under /run/user/* where pam_u2f tries to create the authpending_file:

[  677.004259] audit: type=1400 audit(1642845447.556:160): avc:  denied  { search } for  pid=3250 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.010052] audit: type=1400 audit(1642845447.560:161): avc:  denied  { search } for  pid=3255 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.011612] audit: type=1400 audit(1642845447.563:162): avc:  denied  { search } for  pid=3261 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.013295] audit: type=1400 audit(1642845447.565:163): avc:  denied  { search } for  pid=3262 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.037648] audit: type=1400 audit(1642845447.589:164): avc:  denied  { search } for  pid=3264 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.045125] audit: type=1400 audit(1642845447.596:165): avc:  denied  { search } for  pid=3266 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  692.028005] audit: type=1400 audit(1642845462.579:166): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.028412] audit: type=1400 audit(1642845462.580:167): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.028769] audit: type=1400 audit(1642845462.580:168): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.029086] audit: type=1400 audit(1642845462.580:169): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.029492] audit: type=1400 audit(1642845462.581:170): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0

Reproducible: Always

Steps to Reproduce:
1. Set SELinux to enforcing mode
2. Try to authenticate with YubiKey
3.
Comment 1 Christian Apeltauer 2022-01-23 10:44:39 UTC 
Created attachment 763356 [details]
emerge --info pam_u2f