One problem that we're hitting with pam_gnomekeyring is that it runs in the
locked down xdm context since we don't do a domain transition until after pam
session modules are run. This causes problems because it means
gnome-keyring-daemon runs under the wrong context.
Some session modules (like pam_console) need to run under the xdm domain and not
the user domain though.
If we switch to using pam_selinux then we can partition the session modules to
half run in the xdm context and half in the user context.
should be fixed (or really broken) in tomorrow's rawhide
it broke things for xguest users. we need to save, reset and restore the
context around the call to the PreSession script
we fixed this a while ago I believe.