On 06/18/2018 03:44 PM, Mike Hughes wrote: > We use Yubikey for two-factor ssh authentication which requires enabling a > Boolean called “authlogin_yubikey”. It has been working fine until a few > weeks ago. Errors appear when attempting to set the policy: > > > > -- > > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > > authlogin_yubikey --> off > > > > [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on > > libsepol.context_from_record: type gpio_device_t is not defined > > libsepol.context_from_record: could not create context structure > > libsepol.context_from_string: could not create context structure > > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:gpio_device_t:s0 to sid > > invalid context system_u:object_r:gpio_device_t:s0
Sounds like your policy is in an inconsistent internal state (somewhere you have a context with gpio_device_t but the type isn't defined in the policy). What's your policy version? And did it perhaps fail during %post when it was updated - check yum.log? Does semodule -B fail? Might have to move aside your policy and reinstall it. > > > > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > > authlogin_yubikey --> on > > --- > > > > The system accepts two-factor while the above is set to “on”. After some > undetermined time (or immediately after a reboot) the Boolean toggles off. > This can be confirmed since semanage shows that the default is still set to > “off”: > > > > -- > > [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" > > SELinux boolean State Default Description > > ... > > authlogin_yubikey (on , off) Allow authlogin to yubikey > > -- > > > > It looks similar to the following bug on Fedora: > > https://bugzilla.redhat.com/show_bug.cgi?id=1559174 > > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. > _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
