Description of problem: Whenever I try to use pam-u2f module, SELinux is preventing polkit from accessing certain device files (the authentication process completes as expected, but SELinux error pops up nevertheless). SELinux is preventing polkit-agent-he from 'open' accesses on the file /run/udev/data/c244:0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that polkit-agent-he should be allowed open access on the c244:0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'polkit-agent-he' --raw | audit2allow -M my-polkitagenthe # semodule -X 300 -i my-polkitagenthe.pp Additional Information: Source Context system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 Target Context system_u:object_r:udev_var_run_t:s0 Target Objects /run/udev/data/c244:0 [ file ] Source polkit-agent-he Source Path polkit-agent-he Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-24.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.6-300.fc28.x86_64 #1 SMP Mon Apr 30 14:27:38 UTC 2018 x86_64 x86_64 Alert Count 14 First Seen 2018-05-02 15:05:55 CEST Last Seen 2018-05-03 11:19:36 CEST Local ID c6f5cd1b-a671-4c5c-a8d5-fc8d9dcd2d80 Raw Audit Messages type=AVC msg=audit(1525339176.254:299): avc: denied { open } for pid=6240 comm="polkit-agent-he" path="/run/udev/data/c244:0" dev="tmpfs" ino=21403 scontext=system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=0 Hash: polkit-agent-he,policykit_auth_t,udev_var_run_t,file,open Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.6-300.fc28.x86_64 type: libreport
selinux-policy-3.14.1-30.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-20854ee84e
selinux-policy-3.14.1-30.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-20854ee84e
Cannot reproduce the bug after installing selinux-policy-3.14.1-30.fc28
selinux-policy-3.14.1-30.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.