Bug 529177 - pam_sepermit causes gnome-screensaver to not be able to lock screen.
pam_sepermit causes gnome-screensaver to not be able to lock screen.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-15 06:44 EDT by Dominick Grift
Modified: 2009-11-02 06:31 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-02 06:31:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dominick Grift 2009-10-15 06:44:45 EDT
Description of problem:
When i put some entries into /etc/security/sepermit.conf it causes gnome-screensaver to not be able to lock the screen ( in SELinux enforcing mode )

If i put the system in permissive mode, then gnome-screensaver is able to lock the screen but is not able to unlock the screen.

Version-Release number of selected component (if applicable):
pam-1.1.0-5.fc12.x86_64
gnome-screensaver-2.28.0-1.fc12.x86_64

How reproducible:
Add some entries to /etc/security/sepermit.conf:

# cat /etc/security/sepermit.conf

# /etc/security/sepermit.conf
#
# Each line contains either:
#        - an user name
#        - a group name, with @group syntax
#        - a SELinux user name, with %seuser syntax
# Each line can contain optional arguments separated by :
# The possible arguments are:
#        - exclusive - only single login session will
#          be allowed for the user and the user's processes
#          will be killed on logout
%root
%guest_u
%xguest_u
%user_u
%staff_u
%sysadm_u
%unconfined_u

Next, from a Gnome desktop session lock the screen.
The screen will dim. Press the space bar and the screen will return to the desktop.

Note that gnome-screensaver did not lock the screen.

Next comment the entries in /etc/security/sepermit.conf or remove them.
From a Gnome desktop session lock the screen.
The screen will dim. Press the space bar and a password dialog prompts for the password of the user that is currently logged in. 
Enter the user password to unlock the screen. 

Steps to Reproduce:
1. echo %user_u >> /etc/security/sepermit.conf
2. 'lock screen'
3. 'unlock screen' 

Actual results:
If you configure pam_sepermit e.g. add entries to the sepermit.config file, the screen does not lock (in selinux enforcing mode)

Expected results:

The screensaver should lock the screen even if there are entries in sepermit.conf.


Additional info:
Comment 1 Tomas Mraz 2009-11-02 06:31:49 EST
That's because you're using the default configuration for pam_sepermit in /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver.

This default configuration purpose is to allow the xguest user to log in without a password. It is not at all useful to prevent login for other confined users which have passwords set.

You have to change the /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver to call the module as required and not as [success=done ignore=ignore default=bad].

Note You need to log in before you can comment on or make changes to this bug.