Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831893

Summary: sys-auth/pam_u2f-1.1.1: authentifaction failes with SELinux
Product: Gentoo Linux Reporter: Christian Apeltauer <c.apeltauer>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: UNCONFIRMED ---    
Severity: normal CC: gokturk
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: emerge --info pam_u2f

Description Christian Apeltauer 2022-01-23 10:44:05 UTC
Authentifcation with YubiKey 5C NFC fails when SELinux is in enforcing mode. In permissive mode authentification works fine, but in enforcing mode the cue message is never displayed and authentification fails. The problem seems to be access rights to the tmpfs mounted under /run/user/* where pam_u2f tries to create the authpending_file:

[  677.004259] audit: type=1400 audit(1642845447.556:160): avc:  denied  { search } for  pid=3250 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.010052] audit: type=1400 audit(1642845447.560:161): avc:  denied  { search } for  pid=3255 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.011612] audit: type=1400 audit(1642845447.563:162): avc:  denied  { search } for  pid=3261 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.013295] audit: type=1400 audit(1642845447.565:163): avc:  denied  { search } for  pid=3262 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.037648] audit: type=1400 audit(1642845447.589:164): avc:  denied  { search } for  pid=3264 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  677.045125] audit: type=1400 audit(1642845447.596:165): avc:  denied  { search } for  pid=3266 comm="elogind-uaccess" name="seats" dev="tmpfs" ino=811 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
[  692.028005] audit: type=1400 audit(1642845462.579:166): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.028412] audit: type=1400 audit(1642845462.580:167): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.028769] audit: type=1400 audit(1642845462.580:168): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.029086] audit: type=1400 audit(1642845462.580:169): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
[  692.029492] audit: type=1400 audit(1642845462.581:170): avc:  denied  { search } for  pid=2791 comm="login" name="udev" dev="tmpfs" ino=47 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0

Reproducible: Always

Steps to Reproduce:
1. Set SELinux to enforcing mode
2. Try to authenticate with YubiKey
3.
Comment 1 Christian Apeltauer 2022-01-23 10:44:39 UTC
Created attachment 763356 [details]
emerge --info pam_u2f