> -----Original Message----- > From: Stephen Smalley <sds@xxxxxxxxxxxxx> > Sent: Tuesday, June 19, 2018 07:39 > > On 06/18/2018 04:33 PM, Mike Hughes wrote: > >> -----Original Message----- > >> From: Stephen Smalley <sds@xxxxxxxxxxxxx> > >> Sent: Monday, June 18, 2018 15:28 > >> On 06/18/2018 03:44 PM, Mike Hughes wrote: > >>> We use Yubikey for two-factor ssh authentication which requires enabling a Boolean > >> called “authlogin_yubikey”. It has been working fine until a few weeks ago. Errors > appear > >> when attempting to set the policy: > >>> > >>> -- > >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey > >>> authlogin_yubikey --> off > >>> > >>> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on > >>> libsepol.context_from_record: type gpio_device_t is not defined > >>> libsepol.context_from_record: could not create context structure > >>> libsepol.context_from_string: could not create context structure > >>> libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to > >> sid > >>> invalid context system_u:object_r:gpio_device_t:s0 > >> > >> Sounds like your policy is in an inconsistent internal state (somewhere you have a > context > >> with gpio_device_t but the type isn't defined in the policy). > >> > >> What's your policy version? And did it perhaps fail during %post when it was updated - > >> check yum.log? > > > > Nothing stands out to me in yum.log > > There would have been error messages during the update of the selinux-policy-targeted > package. > > You didn't mention your policy version. On an updated CentOS 7 VM, I see: > $ rpm -q selinux-policy-targeted > selinux-policy-targeted-3.13.1-192.el7_5.3.noarch > > And it has gpio_device_t defined: > $ seinfo -t | grep gpio_device_t > gpio_device_t > > And this type is used in file_contexts: > $ semanage fcontext -l | grep gpio_device_t > /dev/gpiochip[0-9]+ character device system_u:object_r:gpio_device_t:s0 Thank you for the suggestions. I received the same responses, though the last one needed to be run as root. > > > > > > >> Does semodule -B fail? > > > > No, it completes without error: > > > > -- > > [Cent-7:root@my_server ~]# semodule -B > > [Cent-7:root@ my_server ~]# echo $? > > 0 > > [Cent-7:root@ my_server ~]# > > -- > >> > >> Might have to move aside your policy and reinstall it. > > > > How might one accomplish this? > > You could try first to just reinstall the package, e.g. yum reinstall selinux-policy- > targeted. This appears to have resolved the issue. After reinstalling the policy setsebool does not throw errors and ' semanage boolean -l ' indicates that the default state is set to "on": -- [Cent-7:root@my_server ~]# getsebool authlogin_yubikey authlogin_yubikey --> off [Cent-7:root@ my_server ~]# setsebool -P authlogin_yubikey on [Cent-7:root@ my_server ~]# semanage boolean -l | grep "authlogin_yubikey" authlogin_yubikey (on , on) Allow authlogin to yubikey -- > > If that doesn't resolve it, then export any local customizations you have and move aside > your active policy store and try again, ala > semanage export -f exports > mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old > yum reinstall selinux-policy-targeted > > Then check that everything in the exports file is something you want to preserve, and if > so, re-import it. > cat exports > semanage import -f exports > > If that doesn't resolve it, you could move aside the entire policy tree and try again, ala > mv /etc/selinux/targeted /etc/selinux/targeted.old > yum reinstall selinux-policy-targeted > > And then re-import your exports if desired/appropriate. > > You may also have to re-insert any local policy modules you have defined; I don't think > export/import handles modules, just other changes. Thank you for the sledgehammers! I'll keep these around for next time. -Mike > >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey > >>> authlogin_yubikey --> on > >>> --- > >>> > >>> The system accepts two-factor while the above is set to “on”. After some undetermined > >> time (or immediately after a reboot) the Boolean toggles off. This can be confirmed > since > >> semanage shows that the default is still set to “off”: > >>> > >>> -- > >>> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" > >>> SELinux boolean State Default Description > >>> ... > >>> authlogin_yubikey (on , off) Allow authlogin to yubikey > >>> -- > >>> > >>> It looks similar to the following bug on Fedora: > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1559174 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
