You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The exact steps depends on the case you want to solve. So I can only help you to help yourself.
The basic procedure is:
identify the command/process that is issuing the PAM request (for TTY logins, and GDM, this would be login - but YMMV)
check the audit log if you can see fails for that process, if not: your issue is likely a bug or configuration issue and not SELinux related
Make an "allow" policy out of the fails reported in the audit log. This will most likely require multiple iterations, because SELinux by design terminates the code on the first violation. So each time you fixed one, you will get another one, until the profile is complete.
To check your auditlog you can use ausearch, see it's manpage for details. An alternative is to just cat or tail the audit.log. If you already know the command/process name used in the auditlog, use ausearch -c myProcessName to show only events for that process.
When you are sure which process the SELinux fails are logged under, you can use then use a combination of ausearch and audit2allow to convert these logged fails into an allow profile. In example, if the command you're are interested in is "login" the actual command would be au2search -c 'login' --raw | audit2allow -M login pam_usb-login. This gets the audit log in a machine-readable form and pipes it to a utility to turn it into an allowance policy in the current folder.
After that you can install it with semodule -i login.pp. In my testing experience I've noticed that if the profile was previously installed and updated, you may need to reboot for it to become active/effective. So if the errors don't change even though you updated and installed the profile, reboot and continue.
It can also happen that because of these fails the pads become out of sync, in this case run pamusb-conf --reset-pads=yourUserName after a manual login.
If you create a profile for another distribution or release, please upload it in this discussion and mention the distribution and release you created it one. I will then include it in releases (and attribute you of course).
Please ask for clarification etc if you don't get a detail, this doc is just a starting point :)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The exact steps depends on the case you want to solve. So I can only help you to help yourself.
The basic procedure is:
login- but YMMV)To check your auditlog you can use
ausearch, see it's manpage for details. An alternative is to just cat or tail the audit.log. If you already know the command/process name used in the auditlog, useausearch -c myProcessNameto show only events for that process.When you are sure which process the SELinux fails are logged under, you can use then use a combination of
ausearchandaudit2allowto convert these logged fails into an allow profile. In example, if the command you're are interested in is "login" the actual command would beau2search -c 'login' --raw | audit2allow -M login pam_usb-login. This gets the audit log in a machine-readable form and pipes it to a utility to turn it into an allowance policy in the current folder.After that you can install it with
semodule -i login.pp. In my testing experience I've noticed that if the profile was previously installed and updated, you may need to reboot for it to become active/effective. So if the errors don't change even though you updated and installed the profile, reboot and continue.It can also happen that because of these fails the pads become out of sync, in this case run
pamusb-conf --reset-pads=yourUserNameafter a manual login.For Fedora 40 you find a profile in #237 (see also https://github.com/mcdope/pam_usb/discussions/238). For every other distribution or release you are on your own currently.
If you create a profile for another distribution or release, please upload it in this discussion and mention the distribution and release you created it one. I will then include it in releases (and attribute you of course).
Please ask for clarification etc if you don't get a detail, this doc is just a starting point :)
See also: https://www.redhat.com/sysadmin/diagnose-selinux-violations - it contains generic info on how to solve SELinux issues and turn them into allowances.
Beta Was this translation helpful? Give feedback.
All reactions