Bug 1059262 - SELinux is preventing /usr/bin/gnome-keyring-daemon from using the 'ipc_lock' capabilities.
Summary: SELinux is preventing /usr/bin/gnome-keyring-daemon from using the 'ipc_lock'...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b88d4c13e51225da192ca6b6016...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-29 14:07 UTC by klaus
Modified: 2014-03-12 12:17 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-127.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-12 12:17:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description klaus 2014-01-29 14:07:46 UTC 
Description of problem:
don't know exactly, but I have a problem with password changing and login that is annoying for some time
and maybe coherent with that:
My key-layout is german (qwertz) but the lightdm login manager is expecting an US layout (qwerty),
so when I create a passwort containing 'y' in it, such as in 'yummy' then I'd have to type 'zummz'
in order to have access. Please help and let me have the identical german key-layout at login. 
SELinux is preventing /usr/bin/gnome-keyring-daemon from using the 'ipc_lock' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass gnome-keyring-daemon standardmäßig ipc_lock Berechtigung haben sollten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep gnome-keyring-d /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        gnome-keyring-d
Source Path                   /usr/bin/gnome-keyring-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gnome-keyring-3.10.1-1.fc20.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-119.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.12.7-300.fc20.i686 #1 SMP Fri
                              Jan 10 16:19:51 UTC 2014 i686 i686
Alert Count                   1
First Seen                    2014-01-29 14:55:43 CET
Last Seen                     2014-01-29 14:55:43 CET
Local ID                      868507a2-4121-4c28-8382-8b3af82df23a

Raw Audit Messages
type=AVC msg=audit(1391003743.685:435): avc:  denied  { ipc_lock } for  pid=2892 comm="gnome-keyring-d" capability=14  scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1391003743.685:435): arch=i386 syscall=mlock success=yes exit=0 a0=b776b000 a1=4000 a2=8135000 a3=80ed017 items=0 ppid=2886 pid=2892 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Hash: gnome-keyring-d,passwd_t,passwd_t,capability,ipc_lock

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.12.7-300.fc20.i686
type:           libreport

Potential duplicate: bug 1016743
Comment 1 Daniel Walsh 2014-01-29 20:00:02 UTC 
fba3723f1f81513fbdbe019eb407d52c58f84b09 fixes this in git.
Comment 2 klaus 2014-02-02 15:23:47 UTC 
(In reply to Daniel Walsh from comment #1)
> fba3723f1f81513fbdbe019eb407d52c58f84b09 fixes this in git.

Sure there is serveral ways for me to understand this, if you then please
guide me through to an agreeable and persistent result, that would be lots of thank you for sure.
Comment 3 Miroslav Grepl 2014-02-03 08:22:51 UTC 
You can download the latest builds from koji 

http://koji.fedoraproject.org/koji/buildinfo?buildID=495111

for no.
Comment 4 Fedora Update System 2014-02-18 22:09:14 UTC 
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
Comment 5 Fedora Update System 2014-02-22 00:41:25 UTC 
Package selinux-policy-3.12.1-126.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-02-26 13:48:57 UTC 
Package selinux-policy-3.12.1-127.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-03-12 12:17:23 UTC 
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.