Bug 246355
| Summary: | SELinux Denial for pam_keyring precludes it from functioning... | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Peter Gordon <peter> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED WORKSFORME | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-07-08 04:15:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've noticed that when I add gnome-keyring-daemon to startup with my session, it worksaround this issue. Sorry to bug you about this, then! :) Closing as WORKSFORME. |
Description of problem: As part of my effort to switch to a NetworkManager-based setup at home, I installed pam_keyring and configured it as noted in the Tools/NetworkManager page on the wiki. It was working very nicely until earlier yesterday when it simply ceased to function - NM asked for my wireless key again along with Evolution prompting for my Exchange password for my work account, etc. Thanks to the spiffy setroubleshoot tool, I was able to track this down to what I believe to be an SELinux denial: "SELinux is preventing /usr/libexec/pam-keyring-tool (xdm_t) "read" to machine-id (var_lib_t)." The reason I feel that this is SELinux-specific is that if I temporarily disable SELinux ("setenforce 0" as root), I can run the keyring daemon manually, then re-login and my keyring is already unlocked for me. The following is the raw AVC message: avc: denied { read } for comm="pam-keyring-too" dev=sda6 egid=500 euid=500 exe="/usr/libexec/pam-keyring-tool" exit=-13 fsgid=500 fsuid=500 gid=500 items=0 name="machine-id" pid=3167 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=500 tclass=file tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=500 Version-Release number of selected component (if applicable): How reproducible: Every time. Steps to Reproduce: 1. Install pam_keyring and configure it according to http://fedoraproject.org/wiki/Tools/NetworkManager 2. Reboot with the targeted policy active and in enforcing mode. 3. ?? 4. Profit! (Or not...) :) Actual results: pam_keyring is prevented from functioning as it should. Expected results: pam_keyring should automatically unlock my keyring for the duration my login session through GDM. Additional info (package versions): selinux-policy-3.0.1-1.fc8 selinux-policy-targeted-3.0.1-1.fc8 gdm-2.19.3-3.fc8 pam_keyring-0.0.8-3.fc6 pam-0.99.7.1-6.fc8 Thanks!