On Mon, 18 Jun 2018 19:44:10 +0000 Mike Hughes <mike@xxxxxxxxxxxxx> wrote: > We use Yubikey for two-factor ssh authentication which requires enabling a Boolean called "authlogin_yubikey". It has been working fine until a few weeks ago. Errors appear when attempting to set the policy: > > -- > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > authlogin_yubikey --> off > > [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on > libsepol.context_from_record: type gpio_device_t is not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to sid > invalid context system_u:object_r:gpio_device_t:s0 > > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > authlogin_yubikey --> on > --- > > The system accepts two-factor while the above is set to "on". After some undetermined time (or immediately after a reboot) the Boolean toggles off. This can be confirmed since semanage shows that the default is still set to "off": > > -- > [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" > SELinux boolean State Default Description > ... > authlogin_yubikey (on , off) Allow authlogin to yubikey > -- > > It looks similar to the following bug on Fedora: > https://bugzilla.redhat.com/show_bug.cgi?id=1559174 -- Jalus Bilieyich <countolaf17@xxxxxxxxx> _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
