Howto: Create your own SELinux profile for pam_usb

[mcdope]

The exact steps depends on the case you want to solve. So I can only help you to help yourself.

The basic procedure is:

• identify the command/process that is issuing the PAM request (for TTY logins, and GDM, this would be login - but YMMV)
• check the audit log if you can see fails for that process, if not: your issue is likely a bug or configuration issue and not SELinux related
• Make an "allow" policy out of the fails reported in the audit log. This will most likely require multiple iterations, because SELinux by design terminates the code on the first violation. So each time you fixed one, you will get another one, until the profile is complete.

To check your auditlog you can use ausearch, see it's manpage for details. An alternative is to just cat or tail the audit.log. If you already know the command/process name used in the auditlog, use ausearch -c myProcessName to show only events for that process.

When you are sure which process the SELinux fails are logged under, you can use then use a combination of ausearch and audit2allow to convert these logged fails into an allow profile. In example, if the command you're are interested in is "login" the actual command would be au2search -c 'login' --raw | audit2allow -M login pam_usb-login. This gets the audit log in a machine-readable form and pipes it to a utility to turn it into an allowance policy in the current folder.

After that you can install it with semodule -i login.pp. In my testing experience I've noticed that if the profile was previously installed and updated, you may need to reboot for it to become active/effective. So if the errors don't change even though you updated and installed the profile, reboot and continue.

It can also happen that because of these fails the pads become out of sync, in this case run pamusb-conf --reset-pads=yourUserName after a manual login.

For Fedora 40 you find a profile in #237 (see also https://github.com/mcdope/pam_usb/discussions/238). For every other distribution or release you are on your own currently.

If you create a profile for another distribution or release, please upload it in this discussion and mention the distribution and release you created it one. I will then include it in releases (and attribute you of course).

Please ask for clarification etc if you don't get a detail, this doc is just a starting point :)

See also: https://www.redhat.com/sysadmin/diagnose-selinux-violations - it contains generic info on how to solve SELinux issues and turn them into allowances.

[v-Nyo]

Thanks for the guide! This is the first time I created a SELinux profile but I made my own crappy guide and succeeded in creating a profile for the TTY login on Fedora 41 and Google Authenticator on greetd:

Fedora uses authselect pls create a new authselect profile based on 'login'
then edit it e.g. '/etc/authselect/custom/profile/system-auth'
Then apply it with 'authselect select custom/profile'

Create a selinux policy for pam_usb.so in under 5min for TTY on Fedora 41:

1. Log into TTY1/Window Manager and logout of every other session and do:
'setenforce 1'
workpam=$(mktemp -d) && cd "$workpam"

2. Try to login on TTY2.  Then run on TTY1:
   l="login"
   sudo ausearch -c "$l" --raw > .new."$l" \
       && diff .old."$l" .new."$l" \
       ; cp .new."$l" .old."$l" \
       && cat .new."$l" | audit2allow -M custom-"$l" pam_usb-login \
       && sudo semodule -i custom-"$l".pp

3. When there is a diff repeat step 2

When there is no diff output it either finally works or you need to reboot.

Also optionally? make sure that the policy is sensible no unconfined or unlabeled files?

[v-Nyo]

Still I am unable to create a profile for Greetd and Hyprlock for pam_usb.so. Without SeLinux they work.

Could you help me with that? I don't know at all how to proceed, spent many hours trying to get this to work. I can't find any events related to those at all.

[mcdope]

Please don't use discussions or documentation to report issues or request support. Create an issue debugging information instead. Spoiler: considering your very exotic setup, chances are high that it's not SELinux related at all but local check. Am Do., 26. Dez. 2024 um 22:39 Uhr schrieb v-Nyo ***@***.***>:

…

Still I am unable to create a profile for Greetd and Hyprlock for pam_usb.so. Without SeLinux they work. Could you help me with that? I don't know at all how to proceed, spent many hours trying to get this to work. I can't find any events related to those at all. — Reply to this email directly, view it on GitHub <#241 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZI2U3PXVSULYCSL4UKNBL2HRZSNAVCNFSM6AAAAABLMYK7WOVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCNRXGEZTANY> . You are receiving this because you authored the thread.Message ID: ***@***.***>