On 12/13/2017 10:37 PM, sindano sindano wrote:
Hi,
under these circumstances:
1. Install google authenticator
2. setup the pam module for sudo-: auth required pam_google_authenticator.so user=root secret=/PATH_FOLDER/${USER}
3. run google-authenticator for ${USER}
4. cp or mv .google-authenticator file to /var/lib/google-authenticator/chira
5. run restorecon -rv on /var/lib/google-authenticator/
6. reboot
GA fails (without providing any errors to terminal) to ask for verification code and sudo doesnt execute. No AVC denials are provided either.
However, i get an error message from journal:
audit: type=1100 audit(1513091006.688:912): pid=10848 uid=1000 auid=1000 ses=2 subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="chira" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
Dec 12 17:03:28 localhost.localdomain sudo(pam_google_authenticator)[10848]: Failed to read "/var/lib/google-authenticator/chira" for "chira"
...
If i switch to unconfined_u, all goes smoothly as expected.
im currently on fedora 27 workstation and selinux-policy-3.13.1-283.17.fc27.noarch.
BR,
Sindano
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Could you please reproduce the issue and then attach output of:
# ausearch -m AVC,USER_AVC -ts today
Thanks,
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
