Description of problem: this is in relation to enabling 2FA for cockpit on localhost SELinux is preventing cockpit-session from read, write, open access on the Datei /home/florian/.google_authenticator~2RUmXD. ***** Plugin restorecon (99.5 confidence) suggests ************************ Wenn Sie das Etikett reparieren möchten./home/florian/.google_authenticator~2RUmXD Default Label sollte sein user_home_t. Then sie können restorecon ausführen. Der Zugriffsversuch wurde möglicherweise aufgrund unzureichender Berechtigungen für den Zugriff auf ein übergeordnetes Verzeichnis angehalten. Versuchen Sie in diesem Fall, den folgenden Befehl entsprechend zu ändern. Do # /sbin/restorecon -v /home/florian/.google_authenticator~2RUmXD ***** Plugin catchall (1.49 confidence) suggests ************************** Wenn Sie denken, dass es cockpit-session standardmäßig erlaubt sein sollte, read write open Zugriff auf .google_authenticator~2RUmXD file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'cockpit-session' --raw | audit2allow -M my-cockpitsession # semodule -X 300 -i my-cockpitsession.pp Additional Information: Source Context system_u:system_r:cockpit_session_t:s0 Target Context system_u:object_r:user_home_dir_t:s0 Target Objects /home/florian/.google_authenticator~2RUmXD [ file ] Source cockpit-session Source Path cockpit-session Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.17-1.fc36.noarch Local Policy RPM cockpit-ws-282-1.fc36.x86_64 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.0.15-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Dec 21 18:46:09 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2023-01-03 14:54:17 CET Last Seen 2023-01-03 14:54:17 CET Local ID 76b93b19-f971-40d5-a8da-779990dda3c1 Raw Audit Messages type=AVC msg=audit(1672754057.550:1002): avc: denied { read write open } for pid=17501 comm="cockpit-session" path="/home/florian/.google_authenticator~2RUmXD" dev="dm-2" ino=38278986 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=0 Hash: cockpit-session,cockpit_session_t,user_home_dir_t,file,read,write,open Version-Release number of selected component: selinux-policy-targeted-36.17-1.fc36.noarch Additional info: component: cockpit reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.0.15-200.fc36.x86_64 type: libreport
Bug #2157900 is almost the same, but for "create": type=AVC msg=audit(1672753775.253:949): avc: denied { create } for pid=16842 comm="cockpit-session" name=".google_authenticator~CvnGGP" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=0 Let's handle these in one bug/patch. thanks for the report!
*** Bug 2157900 has been marked as a duplicate of this bug. ***
Flo, does that actually break cockpit login with Google Auth 2FA for you? Or is that just "noise"?
cockpit login is not possible. I just set this up, so I am not 100% sure if 2fa login isn't working because of the SELinux denials or of something else... Maybe I re-try with Selinux disabled and report back?
Yes please, that would be useful. Although the denial already indicates that it got quite far at least.
I reproduced this on a fairly standard Fedora 37 cloud image. Steps: sudo dnf install -y google-authenticator google-authenticator --time # scan the code, enter OTP token, and say "yes" to all other questions ls -lZ .google_authenticator # -r--------. 1 admin admin unconfined_u:object_r:auth_home_t:s0 136 Jan 13 11:35 .google_authenticator sudo sed -i '/^auth.*password-auth/ aauth required pam_google_authenticator.so' /etc/pam.d/cockpit Then Cockpit asks for a token, but fails to log in. Journal: Jan 13 11:41:38 fedora-37-127-0-0-2-2201 cockpit(pam_google_authenticator)[3137]: Accepted google_authenticator for admin Jan 13 11:41:38 fedora-37-127-0-0-2-2201 kernel: audit: type=1400 audit(1673610098.804:859): avc: denied { create } for pid=3137 comm="cockpit-session" name=".google_authenticator~vTTj7F" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=0 Jan 13 11:41:38 fedora-37-127-0-0-2-2201 audit[3137]: AVC avc: denied { create } for pid=3137 comm="cockpit-session" name=".google_authenticator~vTTj7F" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=0 Jan 13 11:41:38 fedora-37-127-0-0-2-2201 cockpit(pam_google_authenticator)[3137]: Failed to create tempfile "/home/admin/.google_authenticator~vTTj7F": Permission denied Jan 13 11:41:38 fedora-37-127-0-0-2-2201 cockpit(pam_google_authenticator)[3137]: Failed to update secret file "/home/admin/.google_authenticator": Permission denied
I sent a fix to https://github.com/cockpit-project/cockpit/pull/18173
Hi Martin, sorry for not getting back earlier. I was gonna follow up now but realized you had debugged and fixed the problem already. Many thanks!
FEDORA-2023-7950dba0f6 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-7950dba0f6
FEDORA-2023-4b710b3cf8 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4b710b3cf8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4b710b3cf8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-4b710b3cf8 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.