Authentifcation with YubiKey 5C NFC fails when SELinux is in enforcing mode. In permissive mode authentification works fine, but in enforcing mode the cue message is never displayed and authentification fails. The problem seems to be access rights to the tmpfs mounted under /run/user/* where pam_u2f tries to create the authpending_file: [ 677.004259] audit: type=1400 audit(1642845447.556:160): avc: denied { search } for pid=3250 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0 [ 677.010052] audit: type=1400 audit(1642845447.560:161): avc: denied { search } for pid=3255 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0 [ 677.011612] audit: type=1400 audit(1642845447.563:162): avc: denied { search } for pid=3261 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0 [ 677.013295] audit: type=1400 audit(1642845447.565:163): avc: denied { search } for pid=3262 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0 [ 677.037648] audit: type=1400 audit(1642845447.589:164): avc: denied { search } for pid=3264 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0 [ 677.045125] audit: type=1400 audit(1642845447.596:165): avc: denied { search } for pid=3266 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0 [ 692.028005] audit: type=1400 audit(1642845462.579:166): avc: denied { search } for pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0 [ 692.028412] audit: type=1400 audit(1642845462.580:167): avc: denied { search } for pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0 [ 692.028769] audit: type=1400 audit(1642845462.580:168): avc: denied { search } for pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0 [ 692.029086] audit: type=1400 audit(1642845462.580:169): avc: denied { search } for pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0 [ 692.029492] audit: type=1400 audit(1642845462.581:170): avc: denied { search } for pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0 Reproducible: Always Steps to Reproduce: 1. Set SELinux to enforcing mode 2. Try to authenticate with YubiKey 3.
Created attachment 763356 [details] emerge --info pam_u2f