Bug 1657489

Summary: SELinux is preventing root two-factor authentication in Cockpit
Product: [Fedora] Fedora Reporter: Dimitrios Christidis <dimitrios>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-46.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-17 02:16:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dimitrios Christidis 2018-12-08 22:21:28 UTC 
Description of problem:

I have successfully enabled two-factor authentication using the Google Authenticator in SSH. However, I haven’t had the same luck with Cockpit:

Dec 08 21:57:24 NUC cockpit(pam_google_authenticator)[11885]: Accepted google_authenticator for root
Dec 08 21:57:24 NUC audit[11885]: AVC avc:  denied  { dac_override } for  pid=11885 comm="cockpit-session" capability=1  scontext=system_u:system_r:cockpit_session_t:s0 tcontex
t=system_u:system_r:cockpit_session_t:s0 tclass=capability permissive=0
Dec 08 21:57:24 NUC audit[11885]: USER_AUTH pid=11885 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/libexec/cockpit-session" hostname=192.168.1.82 addr=192.168.1.82 terminal=? res=failed'
Dec 08 21:57:24 NUC cockpit(pam_google_authenticator)[11885]: Failed to update secret file "/root/.google_authenticator": Permission denied

The /root directory has permissions 0550 and Cockpit, unlike SSH, doesn’t have the DAC_OVERRIDE capability.

Version-Release number of selected component (if applicable):

cockpit-183-1.fc29.x86_64
google-authenticator-1.04-3.fc29.x86_64
selinux-policy-3.14.2-42.fc29.noarch

How reproducible:

Always.

Steps to Reproduce:
1. Enable two-factor authentication in the PAM configuration for Cockpit.
2. Try to log in as root.

Actual results:

Failed authentication.

Expected results:

Successful authentication.

Additional info:
Comment 1 Lukas Vrabec 2018-12-12 12:54:36 UTC 
commit 73801b54e7549b557a5568a4a7b0afe77eaf60ed (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Dec 12 13:54:20 2018 +0100

    Add dac_override capability to cockpit_session_t domain BZ(1657489)
Comment 2 Fedora Update System 2019-01-13 15:44:52 UTC 
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 3 Fedora Update System 2019-01-14 03:03:08 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
Comment 4 Fedora Update System 2019-01-17 02:16:36 UTC 
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.