By default, authselect configures pam-u2f such as if a user's configuration file can not be read, the 2nd factor will be ignored and only the password will be taken into account. This is an issue in SELinux environments, where SELinux runs in enforcing mode and prevents pam-u2f to read the user's configuration due to missing policies.
Mitigation: To manually permit the read of the config file, the file's SELinux context can be modified : For example, for a given user '<USER>' : # chcon -R -t auth_home_t ~<USER>/.config/Yubico
Created selinux-policy tracking bugs for this issue: Affects: fedora-all [bug 1871219]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Acknowledgments: Name: Dietmar Lippold
External References: https://bugzilla.redhat.com/show_bug.cgi?id=1860888
Upstream fix: * Add file context for ~/.config/Yubico https://github.com/fedora-selinux/selinux-policy/commit/71e1989028802c7875d3436fd3966c587fa383fb
Statement: Red Hat Enterprise Linux is not affected by this issue as it does not ship pam-u2f. In Fedora, updating the package does not trigger a relabeling of the users' pre-existing 2nd factor configuration (including root), and such may need to be manually updated, using the `fixfiles onboot` command, followed by a reboot (or by applying the mitigation).