https://bugzilla.redhat.com/show_bug.cgi?id=1283296 --- Comment #17 from Seth Jennings <spartacus06@xxxxxxxxx> --- Sorry for the delayed reply. (In reply to Georg Sauthoff from comment #16) > I've tested it on Fedora 23 and it doesn't work with SELinux set to enforce > (the default setting). > > Only after executing > > semanage permissive -a local_login_t > > the module worked. > > Also, a Fedora specific README would be helpful - i.e. one where it is > described what files you have to change in what way. Yes, a Fedora README would be a good idea. > > For example, I wanted to configure U2F as 2nd factor in addition to password > authentication - for locale console logins and gnome shell (including > unlocking a locked screen). I've managed to do that via adding this line > before the `auth ... pasword-auth` line in /etc/pam.d/{login,gdm-password}: > > auth requisite pam_u2f.so debug authfile=/etc/u2f_mappings interactive > > (and filling /etc/u2f_mappings with output from pamu2fcfg) > > In addition to that, the Fedora README could also mention pamu2fcfg. > > More SELinux details: > > The SELinux audit messages looked like this (before executing semanage > permissive): > > type=AVC msg=audit(1452281803.756:2262): avc: denied { read } for > pid=11098 comm="login" name="c248:0" dev="tmpfs" ino=14836 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 > type=AVC msg=audit(1452281803.756:2263): avc: denied { read } for > pid=11098 comm="login" name="c248:1" dev="tmpfs" ino=14839 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 > type=AVC msg=audit(1452281803.757:2264): avc: denied { read } for > pid=11098 comm="login" name="c248:2" dev="tmpfs" ino=894548 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 > type=AVC msg=audit(1452281803.757:2265): avc: denied { read } for > pid=11098 comm="login" name="c248:3" dev="tmpfs" ino=895813 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 > type=AVC msg=audit(1452281803.758:2266): avc: denied { read } for > pid=11098 comm="login" name="c248:4" dev="tmpfs" ino=894573 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 > type=AVC msg=audit(1452281803.758:2267): avc: denied { read } for > pid=11098 comm="login" name="c248:5" dev="tmpfs" ino=910340 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 > type=AVC msg=audit(1452281803.759:2268): avc: denied { read } for > pid=11098 comm="login" name="c248:6" dev="tmpfs" ino=908284 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 I didn't try to use it for console logins so it seems there is an selinux policy issue there. I'll check it out. > > > The tool audit2allow suggests: > > #============= local_login_t ============== > allow local_login_t udev_var_run_t:file read; Thanks for the testing! -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review