Description of problem: The gnome-screensaver does not audit failed unlock attempts. Version-Release number of selected component (if applicable): gnome-screensaver-2.22.1-1.fc9.i386 How reproducible: always Steps to Reproduce: 1.Login 2.Lock screen 3.enter bogus password 4. Search audit log for failed attempt (ausearch -i -x gnome-screensaver) 5. Ideally this would yield the answer I think: ausearch -i -x gnome-screensaver -sv no Actual results: There are no "screen unlock" failures Expected results: There should be "screen unlock" failures Additional info: There are several audit events for the screensaver; you may need to pipe output to grep "lock". Depending on Steve Grubb's advice I may file another bz to cover those.
From looking at the priority field description I believe it should be changed to high; maybe normal at the least. But since this is a loss of data deemed to be security-relevant I believe it needs a higher priority if not also severity. The fix isn't urgently needed, but I'd like to see it addressed in the near future if possible.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
gnome-screensaver launches gnome-screensaver-dialog which uses pam to reauthenticate the user. However since gnome-screensaver-dialog is run as the user and not root it can't audit. In SELinux enforcing the audit failure causes an authentication failure which means the user can not log back in through the screen saver dialog.
gnome-screensaver-dialog shouldn't run as root. pam_unix uses a setuid helper to handle any heavy lifting it needs to do. If audit is failing, must be a problem with pam_unix i guess.
You have to use 'ausearch -i -x unix_chkpwd -sv no' instead. The authentication and auditing of the authentication attempt is done by unix_chkpwd helper in case of screensaver and other non-root processes which call pam.
Instead of what? Here is that AVC that cause the authentication failure when SELinux is in enforcing mode and the gnome-screensaver-dialog is being used to reauthenticate. type=AVC msg=audit(1212758291.296:156): avc: denied { create } for pid=4079 comm="gnome-screensav" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=netlink_audit_socket Should I open a new bug?
Also in /var/log/secure I get: Jun 5 10:34:04 localhost gnome-screensaver-dialog: PAM audit_open() failed: Permission denied
So Tomas was answering comment 0. You're issue is slightly different, so might be better to open a new bug against pam.