Summary: SELinux is preventing /usr/bin/gnome-keyring-daemon "write" access on /tmp. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by gnome-keyring-d. It is not expected that this access is required by gnome-keyring-d and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ dir ] Source gnome-keyring-d Source Path /usr/bin/gnome-keyring-daemon Port <Unknown> Host (removed) Source RPM Packages gnome-keyring-2.28.2-2.fc12 Target RPM Packages filesystem-2.4.30-2.fc12 Policy RPM selinux-policy-3.6.32-66.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux vigo.if.usp.br 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 3 First Seen Sat 23 Jan 2010 10:09:57 PM BRST Last Seen Sat 23 Jan 2010 10:09:57 PM BRST Local ID 61c475ce-93d4-4763-81e5-2980f0f47379 Line Numbers Raw Audit Messages node=vigo.if.usp.br type=AVC msg=audit(1264291797.977:69611): avc: denied { write } for pid=27889 comm="gnome-keyring-d" name="tmp" dev=dm-0 ino=26 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=vigo.if.usp.br type=AVC msg=audit(1264291797.977:69611): avc: denied { add_name } for pid=27889 comm="gnome-keyring-d" name="keyring-W41iLg" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=vigo.if.usp.br type=AVC msg=audit(1264291797.977:69611): avc: denied { create } for pid=27889 comm="gnome-keyring-d" name="keyring-W41iLg" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir node=vigo.if.usp.br type=SYSCALL msg=audit(1264291797.977:69611): arch=c000003e syscall=83 success=yes exit=0 a0=2194270 a1=1c0 a2=2194282 a3=a0 items=0 ppid=27882 pid=27889 auid=504 uid=504 gid=504 euid=504 suid=504 fsuid=504 egid=504 sgid=504 fsgid=504 tty=pts1 ses=145 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-66.fc12,catchall,gnome-keyring-d,passwd_t,tmp_t,dir,write audit2allow suggests: #============= passwd_t ============== allow passwd_t tmp_t:dir { write create add_name };
*** Bug 564071 has been marked as a duplicate of this bug. ***
*** Bug 564072 has been marked as a duplicate of this bug. ***
gnome-keyring-daemon should not be started under the passwd command it is not already running. It should check to see if the socket is there and fail if it is not.
*** Bug 564074 has been marked as a duplicate of this bug. ***
*** Bug 578573 has been marked as a duplicate of this bug. ***
*** Bug 588674 has been marked as a duplicate of this bug. ***
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
I'm still seeing this on fedora 14. I run gnome-about-me, and try to change my password. When click the change password button, gnome-about-me hangs and I get this AVC.
Why isn't gnome-keyring started when you login, why is it waiting to be started by the password command?
(In reply to comment #8) > I'm still seeing this on fedora 14. I run gnome-about-me, and try to change my > password. When click the change password button, gnome-about-me hangs and I > get this AVC. Is this with gnome desktop session? (In reply to comment #9) > Why isn't gnome-keyring started when you login, why is it waiting to be started > by the password command? AFAIK gnome-keyring is now dbus-spawned, via libgnome-keyring. No need to have daemon running on session start when nobody needs it. Only not sure where it stores master password or the keyring unlock state.
(In reply to comment #8) > I'm still seeing this on fedora 14. I run gnome-about-me, and try to change my > password. When click the change password button, gnome-about-me hangs and I > get this AVC. Oh wait, I think it goes through the accountsdialog service (presumably running under root, as it's a dbus service), then it sets password and pam modules trigger gnome-keyring-daemon to change user keyring password.
But if gnome-keyring-daemon is not running it looks like passwd ends up execing gnome-keyring-daemon Which tries to write stuff into /tmp?
If gnome-keyring-daemon is started via dbus then the pam module that passwd is using should be sending a dbus message to gnome-keyring.
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.