Re: google authenticator doesnt work under staff_t confinement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/13/2017 10:37 PM, sindano sindano wrote:
Hi,
under these circumstances:
1. Install google authenticator
2. setup the pam module for sudo-: auth required pam_google_authenticator.so user=root secret=/PATH_FOLDER/${USER}
3. run google-authenticator for ${USER}
4. cp or mv .google-authenticator file to /var/lib/google-authenticator/chira
5. run restorecon -rv on /var/lib/google-authenticator/
6. reboot
GA fails (without providing any errors to terminal) to ask for verification code and sudo doesnt execute. No AVC denials are provided either.

However, i get an error message from journal:
  audit: type=1100 audit(1513091006.688:912): pid=10848 uid=1000 auid=1000 ses=2 subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="chira" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
Dec 12 17:03:28 localhost.localdomain sudo(pam_google_authenticator)[10848]: Failed to read "/var/lib/google-authenticator/chira" for "chira"
...

If i switch to unconfined_u, all goes smoothly as expected.

im currently on fedora 27 workstation and selinux-policy-3.13.1-283.17.fc27.noarch.

BR,
Sindano
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx


Hi,

Could you please reproduce the issue and then attach output of:

# ausearch -m AVC,USER_AVC -ts today

Thanks,
Lukas.

--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux