Hide Forgot
Description of problem: <halfline> tpelka: that means selinux isn't allowing gdm to read the kernel keyring <halfline> gdm will try to use the kernel keyring if autologin is enabled <halfline> it grabs the disk encryption password from the kernel keyring and tries to use it to unlock the gnome keyring <halfline> in the chance they match <halfline> tpelka: so i guess we need an selinux policy update Version-Release number of selected component (if applicable): selinux-policy-3.13.1-125.el7.noarch gdm-3.22.3-2.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. autologin gdm 2. 3. Actual results: time->Wed Mar 15 12:27:22 2017 type=SYSCALL msg=audit(1489595242.898:155): arch=c000003e syscall=0 success=yes exit=0 a0=a a1=7fa3fe5bc000 a2=400 a3=22 items=0 ppid=14111 pid=14133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key type=AVC msg=audit(1489595242.898:155): avc: denied { view } for pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key Expected results: No AVC Additional info:
actually not a big deal, I don't think systemd in 7.4 supports the feature anyway come to think of it.
*** Bug 1448295 has been marked as a duplicate of this bug. ***
audit2allow says that the only change required is: #============= xdm_t ============== allow xdm_t kernel_t:key view; That doesn't seem to be too demanding, does it?
Matej, It's not but we need rhel-7.4 blocker + || exception + if we need to have it in rhel-7.4.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861