1657489 – SELinux is preventing root two-factor authentication in Cockpit

Bug 1657489 - SELinux is preventing root two-factor authentication in Cockpit

Summary: SELinux is preventing root two-factor authentication in Cockpit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-08 22:21 UTC by Dimitrios Christidis
Modified:	2019-01-17 02:16 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.2-46.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-01-17 02:16:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dimitrios Christidis 2018-12-08 22:21:28 UTC

Description of problem:

I have successfully enabled two-factor authentication using the Google Authenticator in SSH. However, I haven’t had the same luck with Cockpit:

Dec 08 21:57:24 NUC cockpit(pam_google_authenticator)[11885]: Accepted google_authenticator for root
Dec 08 21:57:24 NUC audit[11885]: AVC avc:  denied  { dac_override } for  pid=11885 comm="cockpit-session" capability=1  scontext=system_u:system_r:cockpit_session_t:s0 tcontex
t=system_u:system_r:cockpit_session_t:s0 tclass=capability permissive=0
Dec 08 21:57:24 NUC audit[11885]: USER_AUTH pid=11885 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/libexec/cockpit-session" hostname=192.168.1.82 addr=192.168.1.82 terminal=? res=failed'
Dec 08 21:57:24 NUC cockpit(pam_google_authenticator)[11885]: Failed to update secret file "/root/.google_authenticator": Permission denied

The /root directory has permissions 0550 and Cockpit, unlike SSH, doesn’t have the DAC_OVERRIDE capability.

Version-Release number of selected component (if applicable):

cockpit-183-1.fc29.x86_64
google-authenticator-1.04-3.fc29.x86_64
selinux-policy-3.14.2-42.fc29.noarch

How reproducible:

Always.

Steps to Reproduce:
1. Enable two-factor authentication in the PAM configuration for Cockpit.
2. Try to log in as root.

Actual results:

Failed authentication.

Expected results:

Successful authentication.

Additional info:

Comment 1 Lukas Vrabec 2018-12-12 12:54:36 UTC

commit 73801b54e7549b557a5568a4a7b0afe77eaf60ed (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Dec 12 13:54:20 2018 +0100

    Add dac_override capability to cockpit_session_t domain BZ(1657489)

Comment 2 Fedora Update System 2019-01-13 15:44:52 UTC

selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 3 Fedora Update System 2019-01-14 03:03:08 UTC

selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 4 Fedora Update System 2019-01-17 02:16:36 UTC

selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.