Red Hat Bugzilla – Bug 529177
pam_sepermit causes gnome-screensaver to not be able to lock screen.
Last modified: 2009-11-02 06:31:49 EST
Description of problem:
When i put some entries into /etc/security/sepermit.conf it causes gnome-screensaver to not be able to lock the screen ( in SELinux enforcing mode )
If i put the system in permissive mode, then gnome-screensaver is able to lock the screen but is not able to unlock the screen.
Version-Release number of selected component (if applicable):
Add some entries to /etc/security/sepermit.conf:
# cat /etc/security/sepermit.conf
# Each line contains either:
# - an user name
# - a group name, with @group syntax
# - a SELinux user name, with %seuser syntax
# Each line can contain optional arguments separated by :
# The possible arguments are:
# - exclusive - only single login session will
# be allowed for the user and the user's processes
# will be killed on logout
Next, from a Gnome desktop session lock the screen.
The screen will dim. Press the space bar and the screen will return to the desktop.
Note that gnome-screensaver did not lock the screen.
Next comment the entries in /etc/security/sepermit.conf or remove them.
From a Gnome desktop session lock the screen.
The screen will dim. Press the space bar and a password dialog prompts for the password of the user that is currently logged in.
Enter the user password to unlock the screen.
Steps to Reproduce:
1. echo %user_u >> /etc/security/sepermit.conf
2. 'lock screen'
3. 'unlock screen'
If you configure pam_sepermit e.g. add entries to the sepermit.config file, the screen does not lock (in selinux enforcing mode)
The screensaver should lock the screen even if there are entries in sepermit.conf.
That's because you're using the default configuration for pam_sepermit in /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver.
This default configuration purpose is to allow the xguest user to log in without a password. It is not at all useful to prevent login for other confined users which have passwords set.
You have to change the /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver to call the module as required and not as [success=done ignore=ignore default=bad].