https://bugzilla.redhat.com/show_bug.cgi?id=1283296 --- Comment #16 from Georg Sauthoff <fedora@xxxxxxxx> --- I've tested it on Fedora 23 and it doesn't work with SELinux set to enforce (the default setting). Only after executing semanage permissive -a local_login_t the module worked. Also, a Fedora specific README would be helpful - i.e. one where it is described what files you have to change in what way. For example, I wanted to configure U2F as 2nd factor in addition to password authentication - for locale console logins and gnome shell (including unlocking a locked screen). I've managed to do that via adding this line before the `auth ... pasword-auth` line in /etc/pam.d/{login,gdm-password}: auth requisite pam_u2f.so debug authfile=/etc/u2f_mappings interactive (and filling /etc/u2f_mappings with output from pamu2fcfg) In addition to that, the Fedora README could also mention pamu2fcfg. More SELinux details: The SELinux audit messages looked like this (before executing semanage permissive): type=AVC msg=audit(1452281803.756:2262): avc: denied { read } for pid=11098 comm="login" name="c248:0" dev="tmpfs" ino=14836 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1452281803.756:2263): avc: denied { read } for pid=11098 comm="login" name="c248:1" dev="tmpfs" ino=14839 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1452281803.757:2264): avc: denied { read } for pid=11098 comm="login" name="c248:2" dev="tmpfs" ino=894548 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1452281803.757:2265): avc: denied { read } for pid=11098 comm="login" name="c248:3" dev="tmpfs" ino=895813 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1452281803.758:2266): avc: denied { read } for pid=11098 comm="login" name="c248:4" dev="tmpfs" ino=894573 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1452281803.758:2267): avc: denied { read } for pid=11098 comm="login" name="c248:5" dev="tmpfs" ino=910340 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1452281803.759:2268): avc: denied { read } for pid=11098 comm="login" name="c248:6" dev="tmpfs" ino=908284 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 The tool audit2allow suggests: #============= local_login_t ============== allow local_login_t udev_var_run_t:file read; -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review