> -----Original Message----- > From: Stephen Smalley <sds@xxxxxxxxxxxxx> > Sent: Monday, June 18, 2018 15:28 > To: Mike Hughes <mike@xxxxxxxxxxxxx>; selinux@xxxxxxxxxxxxx > Subject: Re: 'setsebool -P' works but throws errors; changes not permanent > > On 06/18/2018 03:44 PM, Mike Hughes wrote: > > We use Yubikey for two-factor ssh authentication which requires enabling a Boolean > called “authlogin_yubikey”. It has been working fine until a few weeks ago. Errors appear > when attempting to set the policy: > > > > > > > > -- > > > > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > > > > authlogin_yubikey --> off > > > > > > > > [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on > > > > libsepol.context_from_record: type gpio_device_t is not defined > > > > libsepol.context_from_record: could not create context structure > > > > libsepol.context_from_string: could not create context structure > > > > libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to > sid > > > > invalid context system_u:object_r:gpio_device_t:s0 > > Sounds like your policy is in an inconsistent internal state (somewhere you have a context > with gpio_device_t but the type isn't defined in the policy). > > What's your policy version? And did it perhaps fail during %post when it was updated - > check yum.log? Nothing stands out to me in yum.log > Does semodule -B fail? No, it completes without error: -- [Cent-7:root@my_server ~]# semodule -B [Cent-7:root@ my_server ~]# echo $? 0 [Cent-7:root@ my_server ~]# -- > > Might have to move aside your policy and reinstall it. How might one accomplish this? > > > > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > > > > authlogin_yubikey --> on > > > > --- > > > > > > > > The system accepts two-factor while the above is set to “on”. After some undetermined > time (or immediately after a reboot) the Boolean toggles off. This can be confirmed since > semanage shows that the default is still set to “off”: > > > > > > > > -- > > > > [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" > > > > SELinux boolean State Default Description > > > > ... > > > > authlogin_yubikey (on , off) Allow authlogin to yubikey > > > > -- > > > > > > > > It looks similar to the following bug on Fedora: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1559174 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
