Bug 246355 - SELinux Denial for pam_keyring precludes it from functioning...
SELinux Denial for pam_keyring precludes it from functioning...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-06-30 17:22 EDT by Peter Gordon
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-08 00:15:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Gordon 2007-06-30 17:22:14 EDT
Description of problem:
As part of my effort to switch to a NetworkManager-based setup at home, I
installed pam_keyring and configured it as noted in the Tools/NetworkManager
page on the wiki. It was working very nicely until earlier yesterday when it
simply ceased to function - NM asked for my wireless key again along with
Evolution prompting for my Exchange password for my work account, etc.

Thanks to the spiffy setroubleshoot tool, I was able to track this down to what
I believe to be an SELinux denial: "SELinux is preventing
/usr/libexec/pam-keyring-tool (xdm_t) "read" to machine-id (var_lib_t)."

The reason I feel that this is SELinux-specific is that if I temporarily disable
SELinux ("setenforce 0" as root), I can run the keyring daemon manually, then
re-login and my keyring is already unlocked for me.

The following is the raw AVC message: 
avc: denied { read } for comm="pam-keyring-too" dev=sda6 egid=500 euid=500
exe="/usr/libexec/pam-keyring-tool" exit=-13 fsgid=500 fsuid=500 gid=500 items=0
name="machine-id" pid=3167 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
sgid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=500 tclass=file
tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=500 
Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. Install pam_keyring and configure it according to
2. Reboot with the targeted policy active and in enforcing mode.
3. ??
4. Profit! (Or not...) :)

Actual results:
pam_keyring is prevented from functioning as it should.

Expected results:
pam_keyring should automatically unlock my keyring for the duration my login
session through GDM.

Additional info (package versions):

Comment 1 Peter Gordon 2007-07-08 00:15:38 EDT
I've noticed that when I add gnome-keyring-daemon to startup with my session, it
worksaround this issue.

Sorry to bug you about this, then! :) Closing as WORKSFORME.

Note You need to log in before you can comment on or make changes to this bug.