Description of problem: Installation of pam-kwallet 5.12.5-3.fc27 causes lightdm to fail starting polkit system, resulting in the inability to perform any action with elevated privileges. Version-Release number of selected component (if applicable): lightdm 1.25.2-1.fc27 pam-kwallet 5.12.5-3.fc27 How reproducible: Consistent Steps to Reproduce: 1. Install or upgrade to lightdm 1.25.2-1.fc27 2. Install pam-kwallet 5.12.5-3.fc27 3. Log out of session, then log back in 4. You should have no ability to enable/disable wireless network, no access to audio hardware, inability to log out of session completely or reboot the system without dropping to text terminal, logging in as root and issuing a reboot command from there. Actual results: As described in item 4, above Expected results: Polkit permitting one to elevate permissions to perform normal operations Additional info: Commenting out references to pam_kwallet.so and pam_kwallet5.so in the /etc/pam.d/lightdm file, then logging out and back in restores expected functionality.
Part of the problem may be selinux related. I just installed lightdm on a fully updated F28/KDE system. When I enabled lightdm I get the following AVC. type=AVC msg=audit(1527032185.328:197): avc: denied { listen } for pid=996 comm="lightdm" path="/tmp/kwallet5_egreshko.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
I did start the system with the kernel parameter selinux=0 and that did not solve anything. The problems noted in the original report are present.
There may be selinux issues also involved, but the machine exhibiting the behavior (the very laptop that I'm composing this on) has SELinux disabled: [root@golem4 ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted [root@golem4 ~]# getenforce Disabled It is disabled due to some other work I was doing, and the issue didn't pop up until pam-kwallet got updated on Friday the 18th. Prior to that I had no issues with any permutation of SELinux (enabled/targeted, in permissive mode or disabled completely). Note that the update Friday updated a lot of things (pam-kwallet being just one of them), however lightdm was NOT one of the updates and removing references to pam-kwallet in the pam config rectified the problem. Makes it rather clear it's pam-kwallet that's the culprit.
This is at the bottom of my to do list, it is likely f27 will Go EOL first.
(In reply to leigh scott from comment #4) > This is at the bottom of my to do list, it is likely f27 will Go EOL first. See comment #1. It fails on F28 as well.
(In reply to Ed Greshko from comment #5) > (In reply to leigh scott from comment #4) > > This is at the bottom of my to do list, it is likely f27 will Go EOL first. > > See comment #1. It fails on F28 as well. F28+ lightdm hasn't been touched for months so is unlikely to be the cause of the issue. The issue is more likely caused by recent pam-kwallet changes/fixes https://src.fedoraproject.org/cgit/rpms/pam-kwallet.git/log/?h=f27
*** Bug 1581688 has been marked as a duplicate of this bug. ***
I'm having trouble reproducing this.
(In reply to Rex Dieter from comment #8) > I'm having trouble reproducing this. Well, all I had to do to reproduce it was to add lightdm to a fully updated F28/KDE system and then enable lightdm. After that logins took much longer, a popup in the systray shows an authentication error and it is impossible to enter a password for Wifi.
Things I tried after installing and enabling lightdm on update-to-date (updates-testing enabled) f28 box with selinux defaults (enabled): 1 login to plasma (existing user) 2 login to xfce (new user) 3 login to plasma (new user) That said, first try to login to plasma (1) after installing lightdm failed (session failed to start). Rebooting fixed it.
(In reply to Rex Dieter from comment #10) Did you install the complete xfce desktop environment? I just installed lightdm and the 3(?) dependencies. I'll be enabling "updates-testing" and updating with that in my morning to see if it changes anything.
I initially installed only lightdm, then re-tried after doing: dnf install @xfce-desktop with xfce session
I stayed up a bit longer. Enabled updates-testing and updated. It didn't fix anything. The journal shows [root@f28k-b1 ~]# journalctl -b 0 | grep -i authenti May 23 22:54:46 f28k-b1.greshko.com lightdm[984]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate May 23 22:54:46 f28k-b1.greshko.com audit[984]: USER_AUTH pid=984 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 22:55:17 f28k-b1.greshko.com ksmserver[1140]: ksmserver: Starting autostart service "/etc/xdg/autostart/polkit-kde-authentication-agent-1.desktop" ("/usr/libexec/kf5/polkit-kde-authentication-agent-1") May 23 22:55:17 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: kf5.kcoreaddons.kaboutdata: Could not initialize the equivalent properties of Q*Application: no instance (yet) existing. May 23 22:55:17 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko' May 23 22:55:18 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko' May 23 22:55:20 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: "Cannot create unix session: No session for pid 1288" May 23 22:55:20 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: "Cannot register authentication agent!" May 23 22:55:20 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1288]: Couldn't register listener! May 23 22:55:52 f28k-b1.greshko.com plasmashell[1280]: PK error: "Failed to obtain authentication." type: "not-authorized" May 23 22:57:14 f28k-b1.greshko.com audit[1810]: USER_AUTH pid=1810 uid=1029 auid=1029 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=f28k-b1.greshko.com addr=? terminal=pts/1 res=success'
May 23 22:54:46 f28k-b1.greshko.com audit[984]: USER_AUTH pid=984 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' This one seems to imply pam_kwallet5 was successful any other kwallet-related logging ? Mine (when things are working as expected: $ journalctl -b 0 | grep -i kwallet May 23 08:28:09 localhost.localdomain lightdm[5736]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_close_session May 23 08:28:09 localhost.localdomain audit[5736]: USER_END pid=5736 uid=0 auid=1001 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_gnome_keyring,pam_kwallet5,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_umask,pam_lastlog acct="foo" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 08:28:09 localhost.localdomain audit[5736]: CRED_DISP pid=5736 uid=0 auid=1001 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="foo" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 08:28:09 localhost.localdomain lightdm[5736]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred May 23 08:28:23 localhost.localdomain lightdm[7504]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate May 23 08:28:23 localhost.localdomain audit[7504]: USER_AUTH pid=7504 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="rdieter" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 08:28:23 localhost.localdomain lightdm[7504]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred May 23 08:28:23 localhost.localdomain audit[7504]: CRED_ACQ pid=7504 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="rdieter" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 08:28:23 localhost.localdomain lightdm[7504]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session May 23 08:28:23 localhost.localdomain lightdm[7517]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_rdieter.socket May 23 08:28:23 localhost.localdomain audit[7504]: USER_START pid=7504 uid=0 auid=1000 ses=8 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_gnome_keyring,pam_kwallet5,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_umask,pam_lastlog acct="rdieter" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 08:28:24 localhost.localdomain ksmserver[7760]: ksmserver: Starting autostart service "/etc/xdg/autostart/pam_kwallet_init.desktop" ("/usr/libexec/pam_kwallet_init")
Hmm, looking in yesterdays logs, I can't quite tell whether these messaages were from the bad version or from the rpm upgrade/downgrades themselves, but they do look fishy: May 23 12:57:27 major lightdm[1791]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_dg.socket May 23 12:57:27 major audit[1806]: AVC avc: denied { listen } for pid=1806 comm="lightdm" path="/tmp/kwallet5_dg.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe May 23 12:57:31 major setroubleshoot[1808]: failed to retrieve rpm info for /tmp/kwallet5_dg.socket May 23 12:57:31 major setroubleshoot[1808]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_dg.socket. For complete SELinux messages run: sealert -l 2cc25aa8-fde2-4948-812c-2e8a69d90fc1 May 23 12:57:31 major python3[1808]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_dg.socket. If you believe that lightdm should be allowed listen access on the kwallet5_dg.socket unix_dgram_socket by default. May 23 12:59:54 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_close_session May 23 12:59:54 major lightdm[1806]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate May 23 12:59:58 major audit[2621]: USER_AUTH pid=2621 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix,pam_gnome_keyring,pam_kwallet5 acct="dg" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred May 23 12:59:58 major audit[2621]: CRED_ACQ pid=2621 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix,pam_gnome_keyring,pam_kwallet5 acct="dg" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session May 23 12:59:58 major lightdm[2621]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_dg.socket May 23 12:59:58 major audit[2621]: USER_START pid=2621 uid=0 auid=1000 ses=9 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_gnome_keyring,pam_kwallet5,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_lastlog acct="dg" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
If it helps any, in the failing configuration if you run /usr/libexec/xfce-polkit -v you will get the error popup and this will be displayed on the console you ran it from: ** (xfce-polkit:<process-id>): CRITICAL **: polkit_agent_listener_register_with_options: assertion 'POLKIT_IS_SUBJECT (subject)' failed If you dismiss the popup, you will get: (xfce-polkit:<process-id>): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed on the console you ran it from. It is definitely a lightdm/pam-kwallet interaction of some sort. As mentioned above, I never had issues regardless of SELinux status until the pam-kwallet upgrade to 5.12.5-3.fc27 and removing references to pam_kwallet and pam_kwallet5 in the pam configuration resolves the problem. Regardless of the EOL status of F27, I've heard this is an issue with F28 as well. I have F28 in a VM, but have not tried this particular scenario on it.
This also affects the mate desktop. I have 2 systems running F27 with lightdm. On one system when I try to logout it simply restarts my session and I cannot mount any external USB drives due to authentication errors. On the other everything works fine. The difference between the 2 is the failing system has pam-kwallet installed the other doesn't.
This highlights the issue I think from comment #15 : May 23 12:57:27 major audit[1806]: AVC avc: denied { listen } for pid=1806 comm="lightdm" path="/tmp/kwallet5_dg.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket selinux prevented reading of the kwallet5 socket (I've only tested on f28 so far, unsuccessful in reproducing the problem)
(In reply to Rex Dieter from comment #18) > This highlights the issue I think from comment #15 : > > May 23 12:57:27 major audit[1806]: AVC avc: denied { listen } for pid=1806 > comm="lightdm" path="/tmp/kwallet5_dg.socket" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket > permissive=0 > May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): > pam_kwallet5-kwalletd: Couldn't listen in socket > > > selinux prevented reading of the kwallet5 socket (I've only tested on f28 > so far, unsuccessful in reproducing the problem) Curious thing is my c15 is from f28
As I mentioned before, the polkit problem occurs even with SELinux disabled. That being said, enabling SELinux may also prevent reading of the kwallet5 socket, but I see that as a separate (although related) issue. If I get a chance today, I'll take a whack at the various scenarios on my F28 VM. Can't guarantee anything. As Dire Straits once lyricized "he's got a daytime job, he's doing all right." The "doing all right" bit is questionable, however...
*** Bug 1580984 has been marked as a duplicate of this bug. ***
Re: comment #20 > the polkit problem occurs even with SELinux disabled there may be multiple problems, and the selinux denial is all we have to go on so far.
(In reply to Rex Dieter from comment #14) > $ journalctl -b 0 | grep -i kwallet This is mine, after a login. May 24 09:33:47 f28k-b1.greshko.com lightdm[985]: pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate May 24 09:33:47 f28k-b1.greshko.com audit[985]: USER_AUTH pid=985 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 24 09:33:48 f28k-b1.greshko.com lightdm[985]: pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred May 24 09:33:48 f28k-b1.greshko.com audit[985]: CRED_ACQ pid=985 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring,pam_kwallet5 acct="egreshko" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success' May 24 09:33:48 f28k-b1.greshko.com lightdm[985]: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session May 24 09:33:48 f28k-b1.greshko.com lightdm[1002]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_egreshko.socket May 24 09:33:48 f28k-b1.greshko.com audit[1002]: AVC avc: denied { listen } for pid=1002 comm="lightdm" path="/tmp/kwallet5_egreshko.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 May 24 09:33:48 f28k-b1.greshko.com lightdm[1002]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket May 24 09:33:48 f28k-b1.greshko.com lightdm[1002]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe May 24 09:33:53 f28k-b1.greshko.com setroubleshoot[1004]: failed to retrieve rpm info for /tmp/kwallet5_egreshko.socket May 24 09:33:53 f28k-b1.greshko.com setroubleshoot[1004]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_egreshko.socket. For complete SELinux messages run: sealert -l 30e74a3d-3d22-40a1-aa83-cd2827430e46 May 24 09:33:53 f28k-b1.greshko.com python3[1004]: SELinux is preventing lightdm from listen access on the unix_dgram_socket /tmp/kwallet5_egreshko.socket. If you believe that lightdm should be allowed listen access on the kwallet5_egreshko.socket unix_dgram_socket by default. May 24 09:34:19 f28k-b1.greshko.com ksmserver[1169]: ksmserver: Starting autostart service "/etc/xdg/autostart/pam_kwallet_init.desktop" ("/usr/libexec/pam_kwallet_init") I also then tried to connect to a Wifi. The password seems to have been taken but the connection is made and the journal shows. May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125794.7325] wifi-wext: (wlan0): using WEXT for WiFi device control May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125794.7467] manager: (wlan0): new 802.11 WiFi device (/org/freedesktop/NetworkManager/Devices/3) May 24 09:36:34 f28k-b1.greshko.com dbus-daemon[544]: [system] Activating via systemd: service name='fi.w1.wpa_supplicant1' unit='wpa_supplicant.service' requested by ':1.11' (uid=0 pid=627 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0") May 24 09:36:34 f28k-b1.greshko.com org_kde_powerdevil[1367]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices" May 24 09:36:34 f28k-b1.greshko.com org_kde_powerdevil[1367]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices" May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors" May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real" May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors" May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real" May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors" May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real" May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "LldpNeighbors" May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "Real" May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices" May 24 09:36:34 f28k-b1.greshko.com plasmashell[1281]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices" May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "AllDevices" May 24 09:36:34 f28k-b1.greshko.com kdeinit5[1113]: networkmanager-qt: void NetworkManager::NetworkManagerPrivate::propertiesChanged(const QVariantMap&) Unhandled property "Devices" May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125794.8570] supplicant: wpa_supplicant running May 24 09:36:34 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125794.9789] device (wlp0s11u1): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external') May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <warn> [1527125806.1468] device (wlp0s11u1): set-hw-addr: new MAC address DA:E8:7D:44:04:B1 not successfully set (scanning) May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125806.1816] sup-iface[0x55a044100380,wlp0s11u1]: supports 1 scan SSIDs May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125806.1841] device (wlp0s11u1): supplicant interface state: starting -> ready May 24 09:36:46 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125806.1844] device (wlp0s11u1): state change: unavailable -> disconnected (reason 'supplicant-available', sys-iface-state: 'managed') May 24 09:36:47 f28k-b1.greshko.com plasmashell[1281]: org.kde.plasmaquick: Applet "Networks" loaded after 0 msec May 24 09:36:47 f28k-b1.greshko.com plasmashell[1281]: org.kde.plasmaquick: Increasing score for "Networks" to 39 May 24 09:36:48 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125808.3623] device (wlp0s11u1): supplicant interface state: ready -> inactive May 24 09:37:08 f28k-b1.greshko.com NetworkManager[627]: <info> [1527125828.1834] audit: op="connection-add-activate" pid=1281 uid=1029 result="fail" reason="Not authorized to control networking."
Also, these polkit entries seem wrong. May 24 09:34:19 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: kf5.kcoreaddons.kaboutdata: Could not initialize the equivalent properties of Q*Application: no instance (yet) existing. May 24 09:34:19 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko' May 24 09:34:19 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-egreshko' May 24 09:34:22 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: "Cannot create unix session: No session for pid 1287" May 24 09:34:22 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: "Cannot register authentication agent!" May 24 09:34:22 f28k-b1.greshko.com polkit-kde-authentication-agent-1[1287]: Couldn't register listener!
(In reply to Ed Greshko from comment #23) > I also then tried to connect to a Wifi. The password seems to have been > taken but the connection is made and the journal shows. Should have read.... but the connection is *NOT* made ....
Assigning to selinux-policy due to known denial: May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_dg.socket May 23 12:57:27 major audit[1806]: AVC avc: denied { listen } for pid=1806 comm="lightdm" path="/tmp/kwallet5_dg.socket" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket May 23 12:57:27 major lightdm[1806]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe
anyone experiencing this (at least those who have selinux enabled), I recommend you consider relabelling and rebooting your systems (as root): touch /.autorelabel rm -f /tmp/kwallet*.socket reboot
(In reply to Rex Dieter from comment #27) Done, with no change as the result. :-(
I started having this issue after a recent update.(dnf update). Not sure what changed. I do have 'pam_kwallet.so' in '/etc/pam.d/lightdm'.
I can also confirm that this can happen with SELinux off.
Oh and in case, it means something, with lightdm OFF, when I use 'startx' to start X and then use 'chrome'(not chromium), I get a dialogue asking me to enter the password to my keychain(which is my login password). This seems expected though, as a bet lightdm is supposed to pass the info too KWallet.
> I can also confirm that this can happen with SELinux off. The same for me. With SELinux off and using a MATE session, I add those traces in the journal: ### pam_kwallet fail to listen to its socket: lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket path: /tmp/kwallet5_fm.socket lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: Couldn't listen in socket lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: Impossible to write walletKey to walletPipe lightdm[10869]: pam_kwallet(lightdm:session): pam_kwallet: pam_sm_open_session lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet: final socket path: /tmp/kwallet_fm.socket lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet-kwalletd: Couldn't listen in socket lightdm[10870]: pam_kwallet(lightdm:session): pam_kwallet: Impossible to write walletKey to walletPipe ### Fail to create session: lightdm[10870]: pam_systemd(lightdm:session): Failed to create session: Access denied lightdm[10870]: pam_unix(lightdm:session): session opened for user fm by (uid=1005) ### Fail to register in lastlog and btmp lightdm[10870]: pam_lastlog(lightdm:session): unable to open /var/log/lastlog: Permission denied lightdm[10870]: pam_lastlog(lightdm:session): unable to open /var/log/btmp: Permission denied In /etc/pam.d/lightdm we have: auth substack system-auth -auth optional pam_gnome_keyring.so -auth optional pam_kwallet5.so -auth optional pam_kwallet.so .. -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so -session optional pam_kwallet.so session include system-auth I tried to put system-auth before the pam_kwallet* in the session part: nmcli works, but logout no. In this case the socket is put under /run/user/$UID that is created before, but still "Couldn't listen in socket" I haven't tried to put the pam_kwallet* last in the session part. sddm is perhaps subject to this bug since it includes also the pam_kwallet* modules. I haven't tested it. I can make more tests if you need.
@rdieter Maybe this upstream commit could mitigate the pam-kwallet issue. https://github.com/CanonicalLtd/lightdm/pull/13 IMO lingering apps should be killed by logind/systemd on logout.
lightdm-1.26.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c2587fb84
lightdm-1.26.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd8b0fc678
Re: comment #33 Possible, to test set KillUserProcesses=yes in /etc/systemd/logind.conf to see if that helps any
lightdm-1.26.0-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd8b0fc678
lightdm-1.26.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c2587fb84
lightdm-1.26.0-1.fc28 does not fix this BZ
(In reply to Ed Greshko from comment #39) > lightdm-1.26.0-1.fc28 does not fix this BZ I agree, tested (LightDM + Xmonad) with: ~~~ $ rpm -qa | grep lightdm lightdm-gtk-2.0.5-1.fc28.x86_64 lightdm-gobject-1.26.0-1.fc28.x86_64 lightdm-1.26.0-1.fc28.x86_64 ~~~
(In reply to Francis.Montagnac from comment #32) > With SELinux off and using a MATE session, I add those traces in the > journal: > ### pam_kwallet fail to listen to its socket: > > lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5: final socket > path: /tmp/kwallet5_fm.socket > lightdm[10869]: pam_kwallet5(lightdm:session): pam_kwallet5-kwalletd: > Couldn't listen in socket Looking at the source in pam_kwallet.c, execute_kwallet drop_privileges first, and does a return and not an exit after having emitted this "Couldn't listen in socket". Then the calling function, start_kwallet does: //Child fork, will contain kwalletd case 0: execute_kwallet(pamh, userInfo, toWalletPipe, fullSocket); /* Should never be reached */ break; //Parent default: waitpid(pid, &status, 0); thus the child continues, but with dropped privileges while the parent waits. This explain the following errors: > ### Fail to create session: > > lightdm[10870]: pam_systemd(lightdm:session): Failed to create session: > Access denied > ### Fail to register in lastlog and btmp > lightdm[10870]: pam_lastlog(lightdm:session): unable to open > /var/log/lastlog: Permission denied > lightdm[10870]: pam_lastlog(lightdm:session): unable to open > /var/log/btmp: Permission denied I think one should replace the break above by an exit. That will fix the problem for the subsequent pam modules. One should perhaps instrument execute_kwallet to understand why it fails to listen.
If you believe this to indeed be an issue with pam-kwallet, please engage upstream at: https://bugs.kde.org/enter_bug.cgi?product=kwallet-pam (best if this were done by someone who case reproduce the issue, which I cannot unfortunately)
Let's triage this back to pam-kwallet then
*** Bug 1591002 has been marked as a duplicate of this bug. ***
Thanks to enterprising sluething user, this may be a lightdm issue after all. See also related problem with gnome-keyring not opening in bug #1631220 , can anyone verify if adjusting snippet in /etc/pam.d/lightdm from -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so -session optional pam_kwallet.so session include system-auth to session include system-auth -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so -session optional pam_kwallet.so ie, moving the 'session ... system-auth' line to before those of pam_gnome_keyring and pam_kwallet, helps?
lightdm-1.28.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-9d3a142b3e
lightdm-1.28.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0507831aa
lightdm-1.28.0-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-227b29d323
lightdm-1.28.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-9d3a142b3e
lightdm-1.28.0-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-227b29d323
lightdm-1.28.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0507831aa
lightdm-1.28.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
lightdm-1.28.0-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
lightdm-1.28.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
When I've logged in to Plasma 5.14.3 from lightdm 1.28.0-2 in Fedora 29, I saw the following messages related to pam-kwallet 5.14.3-1 in the journal. pam_kwallet5(lightdm:auth): (null): pam_sm_authenticate pam_kwallet5(lightdm:setcred): pam_kwallet5: pam_sm_setcred pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_open_session pam_kwallet5: final socket path: /run/user/1000/kwallet5.socket pam_kwallet5-kwalletd: Couldn't listen in socket pam_kwallet5(lightdm:session): pam_kwallet5: Couldn't fork to execv kwalletd The same messages occurred with Plasma/pam-kwallet 5.13.5 and earlier versions. kwallet was not unlocked when logging in likely related to those errors "Couldn't listen in socket" and "Couldn't fork to execv kwalletd". When I started kwalletmanager and clicked open, a pop up window asked for the password. The error "Couldn't listen in socket" was noted above. I couldn't find the error "Couldn't fork to execv kwalletd" above. I've reported this issue with more details at https://bugs.kde.org/show_bug.cgi?id=400929
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.