Description of problem: When i put some entries into /etc/security/sepermit.conf it causes gnome-screensaver to not be able to lock the screen ( in SELinux enforcing mode ) If i put the system in permissive mode, then gnome-screensaver is able to lock the screen but is not able to unlock the screen. Version-Release number of selected component (if applicable): pam-1.1.0-5.fc12.x86_64 gnome-screensaver-2.28.0-1.fc12.x86_64 How reproducible: Add some entries to /etc/security/sepermit.conf: # cat /etc/security/sepermit.conf # /etc/security/sepermit.conf # # Each line contains either: # - an user name # - a group name, with @group syntax # - a SELinux user name, with %seuser syntax # Each line can contain optional arguments separated by : # The possible arguments are: # - exclusive - only single login session will # be allowed for the user and the user's processes # will be killed on logout %root %guest_u %xguest_u %user_u %staff_u %sysadm_u %unconfined_u Next, from a Gnome desktop session lock the screen. The screen will dim. Press the space bar and the screen will return to the desktop. Note that gnome-screensaver did not lock the screen. Next comment the entries in /etc/security/sepermit.conf or remove them. From a Gnome desktop session lock the screen. The screen will dim. Press the space bar and a password dialog prompts for the password of the user that is currently logged in. Enter the user password to unlock the screen. Steps to Reproduce: 1. echo %user_u >> /etc/security/sepermit.conf 2. 'lock screen' 3. 'unlock screen' Actual results: If you configure pam_sepermit e.g. add entries to the sepermit.config file, the screen does not lock (in selinux enforcing mode) Expected results: The screensaver should lock the screen even if there are entries in sepermit.conf. Additional info:
That's because you're using the default configuration for pam_sepermit in /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver. This default configuration purpose is to allow the xguest user to log in without a password. It is not at all useful to prevent login for other confined users which have passwords set. You have to change the /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver to call the module as required and not as [success=done ignore=ignore default=bad].