Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1446158

Summary: SELinux prevents gnome-keyring-daemon from writing to user home directory
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 7.4CC: lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-13 15:23:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1534323    

Description Patrik Kis 2017-04-27 11:06:36 UTC 
Description of problem:
The following AVC denial appeared when executed one of our test:

type=PROCTITLE msg=audit(1493035215.770:3993): proctitle=2F7573722F62696E2F676E6F6D652D6B657972696E672D6461656D6F6E002D2D6461656D6F6E697A65
type=SYSCALL msg=audit(1493035215.770:3993): arch=c00000b7 syscall=34 success=no exit=-13 a0=ffffffffffffff9c a1=aaaad93c9fc0 a2=1c0 a3=aaaad93c9fc0 items=0 ppid=1 pid=23433 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1493035215.770:3993): avc:  denied  { write } for  pid=23433 comm="gnome-keyring-d" name="testuser_bz515809" dev="dm-2" ino=805306465 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-144.el7

How reproducible:
not sure

Steps to Reproduce:
not sure either
Comment 2 Lukas Vrabec 2018-03-02 09:14:33 UTC 
HI, 

Are you able to reproduce it?
Comment 3 Lukas Vrabec 2018-06-09 13:48:58 UTC 
Please see comment#2. 

Thanks,
Lukas.
Comment 4 Patrik Kis 2018-06-11 07:06:46 UTC 
I'm not sure how to reproduce it, unfortunately.
Comment 5 Lukas Vrabec 2018-06-11 08:01:18 UTC 
Could we close this bug and if you catch it again, will you re-open it? 

THanks,
Lukas.
Comment 6 Patrik Kis 2018-06-11 09:21:32 UTC 
Do as you think it's the best.
But regarding the reproducer, I don't think we will be in better position in the future either. If I recall correctly, this AVC denial just appeared randomly.
Comment 7 Patrik Kis 2018-06-11 09:23:00 UTC 
Sorry, I forgot to answer your question. Yes, indeed, I will reopen it again, if I catch these AVCs.
Comment 8 Milos Malik 2018-06-11 09:47:45 UTC 
Reproducible on RHEL-7:
----
type=PROCTITLE msg=audit(06/11/2018 11:45:53.027:1783) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=PATH msg=audit(06/11/2018 11:45:53.027:1783) : item=1 name=/home/test-user/.local nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:45:53.027:1783) : item=0 name=/home/test-user/ inode=8569646 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:45:53.027:1783) : cwd=/home/test-user 
type=SYSCALL msg=audit(06/11/2018 11:45:53.027:1783) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x563efaee0ab0 a1=0700 a2=0x563efaee0ac6 a3=0x2f726573752d7473 items=2 ppid=1 pid=24117 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=9 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:45:53.027:1783) : avc:  denied  { write } for  pid=24117 comm=gnome-keyring-d name=test-user dev="vda3" ino=8569646 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 
----
Comment 9 Milos Malik 2018-06-11 09:52:00 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(06/11/2018 11:50:27.065:1826) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=PATH msg=audit(06/11/2018 11:50:27.065:1826) : item=1 name=/home/test-user/.local inode=8569651 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.065:1826) : item=0 name=/home/test-user/ inode=8569646 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:50:27.065:1826) : cwd=/home/test-user 
type=SYSCALL msg=audit(06/11/2018 11:50:27.065:1826) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x56390c992680 a1=0700 a2=0x56390c992696 a3=0x2f726573752d7473 items=2 ppid=1 pid=24477 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=10 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:50:27.065:1826) : avc:  denied  { create } for  pid=24477 comm=gnome-keyring-d name=.local scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(06/11/2018 11:50:27.065:1826) : avc:  denied  { add_name } for  pid=24477 comm=gnome-keyring-d name=.local scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(06/11/2018 11:50:27.065:1826) : avc:  denied  { write } for  pid=24477 comm=gnome-keyring-d name=test-user dev="vda3" ino=8569646 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 11:50:27.075:1827) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=PATH msg=audit(06/11/2018 11:50:27.075:1827) : item=0 name=/home/test-user/.local/share/keyrings inode=26016340 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:50:27.075:1827) : cwd=/home/test-user 
type=SYSCALL msg=audit(06/11/2018 11:50:27.075:1827) : arch=x86_64 syscall=openat success=yes exit=12 a0=0xffffffffffffff9c a1=0x56390c9926b0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=24477 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=10 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:50:27.075:1827) : avc:  denied  { read } for  pid=24477 comm=gnome-keyring-d name=keyrings dev="vda3" ino=26016340 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 11:50:27.075:1828) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=PATH msg=audit(06/11/2018 11:50:27.075:1828) : item=1 name=/home/test-user/.local/share/keyrings/login.keyring inode=26027439 dev=fd:03 mode=file,600 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.075:1828) : item=0 name=/home/test-user/.local/share/keyrings/ inode=26016340 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:50:27.075:1828) : cwd=/home/test-user 
type=SYSCALL msg=audit(06/11/2018 11:50:27.075:1828) : arch=x86_64 syscall=open success=yes exit=12 a0=0x56390c9aa880 a1=O_RDONLY|O_CREAT|O_EXCL a2=0600 a3=0x79656b2f65726168 items=2 ppid=1 pid=24477 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=10 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:50:27.075:1828) : avc:  denied  { read open } for  pid=24477 comm=gnome-keyring-d path=/home/test-user/.local/share/keyrings/login.keyring dev="vda3" ino=26027439 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/11/2018 11:50:27.075:1828) : avc:  denied  { create } for  pid=24477 comm=gnome-keyring-d name=login.keyring scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 11:50:27.075:1829) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=PATH msg=audit(06/11/2018 11:50:27.075:1829) : item=0 name=/home/test-user/.local/share/keyrings/login.keyring inode=26027439 dev=fd:03 mode=file,600 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:50:27.075:1829) : cwd=/home/test-user 
type=SYSCALL msg=audit(06/11/2018 11:50:27.075:1829) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x56390c996a30 a1=0x7fffbc31fb20 a2=0x7fffbc31fb20 a3=0x9517e53200000000 items=1 ppid=1 pid=24477 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=10 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:50:27.075:1829) : avc:  denied  { getattr } for  pid=24477 comm=gnome-keyring-d path=/home/test-user/.local/share/keyrings/login.keyring dev="vda3" ino=26027439 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 11:50:27.075:1830) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=PATH msg=audit(06/11/2018 11:50:27.075:1830) : item=2 name=/home/test-user/.local/share/keyrings/login.keyring.temp-1011802476 inode=26027439 dev=fd:03 mode=file,600 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.075:1830) : item=1 name=/home/test-user/.local/share/keyrings/ inode=26016340 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.075:1830) : item=0 name=/home/test-user/.local/share/keyrings/login.keyring inode=26027439 dev=fd:03 mode=file,600 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:50:27.075:1830) : cwd=/home/test-user 
type=SYSCALL msg=audit(06/11/2018 11:50:27.075:1830) : arch=x86_64 syscall=link success=yes exit=0 a0=0x56390c996a30 a1=0x56390c9aa940 a2=0x0 a3=0x79656b2f65726168 items=3 ppid=1 pid=24477 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=10 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:50:27.075:1830) : avc:  denied  { link } for  pid=24477 comm=gnome-keyring-d name=login.keyring dev="vda3" ino=26027439 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/11/2018 11:50:27.075:1830) : avc:  denied  { write } for  pid=24477 comm=gnome-keyring-d name=login.keyring dev="vda3" ino=26027439 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 11:50:27.095:1831) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=PATH msg=audit(06/11/2018 11:50:27.095:1831) : item=4 name=/home/test-user/.local/share/keyrings/login.keyring inode=26027441 dev=fd:03 mode=file,600 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.095:1831) : item=3 name=/home/test-user/.local/share/keyrings/login.keyring inode=26027439 dev=fd:03 mode=file,600 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.095:1831) : item=2 name=/home/test-user/.local/share/keyrings/.temp-2N4GKZ inode=26027441 dev=fd:03 mode=file,600 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.095:1831) : item=1 name=/home/test-user/.local/share/keyrings/ inode=26016340 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 11:50:27.095:1831) : item=0 name=/home/test-user/.local/share/keyrings/ inode=26016340 dev=fd:03 mode=dir,700 ouid=test-user ogid=test-user rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:50:27.095:1831) : cwd=/home/test-user 
type=SYSCALL msg=audit(06/11/2018 11:50:27.095:1831) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x56390c995300 a1=0x56390c996a30 a2=0x0 a3=0x0 items=5 ppid=1 pid=24477 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=10 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:50:27.095:1831) : avc:  denied  { unlink } for  pid=24477 comm=gnome-keyring-d name=login.keyring dev="vda3" ino=26027439 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/11/2018 11:50:27.095:1831) : avc:  denied  { rename } for  pid=24477 comm=gnome-keyring-d name=.temp-2N4GKZ dev="vda3" ino=26027441 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/11/2018 11:50:27.095:1831) : avc:  denied  { remove_name } for  pid=24477 comm=gnome-keyring-d name=.temp-2N4GKZ dev="vda3" ino=26027441 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 
----
Comment 10 Milos Malik 2018-06-11 10:02:54 UTC 
There may be more reproducers for this issue, but here is the one I tried:

1) install gnome-keyring and gnome-keyring-pam packages
2) install oddjob and oddjob-mkhomedir packages
3) start the oddjobd service
4) create a user without creating its home directory
5) assign the user a password
6) enable the system-wide use of oddjob-mkhomedir (# authconfig --enablemkhomedir --update)
7) log in as the newly created user via ssh
8) stay logged in and change its password via passwd
9) search for SELinux denials
Comment 11 Milos Malik 2018-06-11 10:07:21 UTC 
I believe this bug is a duplicate of BZ#1373186.
Comment 12 Lukas Vrabec 2018-06-13 15:23:45 UTC 

*** This bug has been marked as a duplicate of bug 1373186 ***