> -----Original Message----- > From: Stephen Smalley <s...@tycho.nsa.gov> > Sent: Tuesday, June 19, 2018 07:39 > > On 06/18/2018 04:33 PM, Mike Hughes wrote: > >> -----Original Message----- > >> From: Stephen Smalley <s...@tycho.nsa.gov> > >> Sent: Monday, June 18, 2018 15:28 > >> On 06/18/2018 03:44 PM, Mike Hughes wrote: > >>> We use Yubikey for two-factor ssh authentication which requires enabling > >>> a Boolean > >> called “authlogin_yubikey”. It has been working fine until a few weeks > >> ago. Errors > appear > >> when attempting to set the policy: > >>> > >>> -- > >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey > >>> authlogin_yubikey --> off > >>> > >>> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on > >>> libsepol.context_from_record: type gpio_device_t is not defined > >>> libsepol.context_from_record: could not create context structure > >>> libsepol.context_from_string: could not create context structure > >>> libsepol.sepol_context_to_sid: could not convert > >>> system_u:object_r:gpio_device_t:s0 to > >> sid > >>> invalid context system_u:object_r:gpio_device_t:s0 > >> > >> Sounds like your policy is in an inconsistent internal state (somewhere > >> you have a > context > >> with gpio_device_t but the type isn't defined in the policy). > >> > >> What's your policy version? And did it perhaps fail during %post when it > >> was updated - > >> check yum.log? > > > > Nothing stands out to me in yum.log > > There would have been error messages during the update of the > selinux-policy-targeted > package. > > You didn't mention your policy version. On an updated CentOS 7 VM, I see: > $ rpm -q selinux-policy-targeted > selinux-policy-targeted-3.13.1-192.el7_5.3.noarch > > And it has gpio_device_t defined: > $ seinfo -t | grep gpio_device_t > gpio_device_t > > And this type is used in file_contexts: > $ semanage fcontext -l | grep gpio_device_t > /dev/gpiochip[0-9]+ character device > system_u:object_r:gpio_device_t:s0
Thank you for the suggestions. I received the same responses, though the last one needed to be run as root. > > > > > > >> Does semodule -B fail? > > > > No, it completes without error: > > > > -- > > [Cent-7:root@my_server ~]# semodule -B > > [Cent-7:root@ my_server ~]# echo $? > > 0 > > [Cent-7:root@ my_server ~]# > > -- > >> > >> Might have to move aside your policy and reinstall it. > > > > How might one accomplish this? > > You could try first to just reinstall the package, e.g. yum reinstall > selinux-policy- > targeted. This appears to have resolved the issue. After reinstalling the policy setsebool does not throw errors and ' semanage boolean -l ' indicates that the default state is set to "on": -- [Cent-7:root@my_server ~]# getsebool authlogin_yubikey authlogin_yubikey --> off [Cent-7:root@ my_server ~]# setsebool -P authlogin_yubikey on [Cent-7:root@ my_server ~]# semanage boolean -l | grep "authlogin_yubikey" authlogin_yubikey (on , on) Allow authlogin to yubikey -- > > If that doesn't resolve it, then export any local customizations you have and > move aside > your active policy store and try again, ala > semanage export -f exports > mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old > yum reinstall selinux-policy-targeted > > Then check that everything in the exports file is something you want to > preserve, and if > so, re-import it. > cat exports > semanage import -f exports > > If that doesn't resolve it, you could move aside the entire policy tree and > try again, ala > mv /etc/selinux/targeted /etc/selinux/targeted.old > yum reinstall selinux-policy-targeted > > And then re-import your exports if desired/appropriate. > > You may also have to re-insert any local policy modules you have defined; I > don't think > export/import handles modules, just other changes. Thank you for the sledgehammers! I'll keep these around for next time. -Mike > >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey > >>> authlogin_yubikey --> on > >>> --- > >>> > >>> The system accepts two-factor while the above is set to “on”. After some > >>> undetermined > >> time (or immediately after a reboot) the Boolean toggles off. This can be > >> confirmed > since > >> semanage shows that the default is still set to “off”: > >>> > >>> -- > >>> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" > >>> SELinux boolean State Default Description > >>> ... > >>> authlogin_yubikey (on , off) Allow authlogin to yubikey > >>> -- > >>> > >>> It looks similar to the following bug on Fedora: > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1559174 _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
