SELinux is preventing /usr/bin/passwd from 'execute' accesses on the archivo /usr/bin/gnome-keyring-daemon. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that passwd should be allowed execute access on the gnome-keyring-daemon file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep passwd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 Target Context system_u:object_r:gkeyringd_exec_t:s0 Target Objects /usr/bin/gnome-keyring-daemon [ file ] Source passwd Source Path /usr/bin/passwd Port <Desconocido> Host (removed) Source RPM Packages passwd-0.78-3.fc15 Target RPM Packages gnome-keyring-3.0.1-2.fc15 Policy RPM selinux-policy-3.9.16-23.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen mié 25 may 2011 21:18:43 COT Last Seen mié 25 may 2011 21:18:43 COT Local ID abc4ba0a-8f3b-46ed-be0e-33251f1016ff Raw Audit Messages type=AVC msg=audit(1306376323.639:37): avc: denied { execute } for pid=1735 comm="passwd" name="gnome-keyring-daemon" dev=sda2 ino=30698 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1306376323.639:37): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f0e292f72c1 a1=7fffe3e00d50 a2=a87190 a3=0 items=0 ppid=1711 pid=1735 auid=500 uid=500 gid=500 euid=500 suid=0 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) Hash: passwd,passwd_t,gkeyringd_exec_t,file,execute audit2allow #============= passwd_t ============== allow passwd_t gkeyringd_exec_t:file execute; audit2allow -R #============= passwd_t ============== allow passwd_t gkeyringd_exec_t:file execute;
The problem is gnome-keyring was not started which should not happen. Could you add me output of # ps -eZ |grep keyring I believe the gkeyring is now running.
(In reply to comment #1) > The problem is gnome-keyring was not started which should not happen. > > Could you add me output of > sure > # ps -eZ |grep keyring > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1057 ? 00:00:00 gnome-keyring-d > > I believe the gkeyring is now running.
i think this is happening when you try to change your password via "my account". we encountered this event before but did not find a way to fix it i believe. One way is to prefix passwd_t that way we can tell it to transition back to the userdomain when it runs gkeyringd_exec_t. Another way is to not transition unconfined_t to passwd_t in the first place, but that still does not resolve this issue for confined users.
Another way would be to stop the insanity. passwd should not be starting gnome-keyring-daemon.
Fair enough so why are we not cc'ing the maintainer of pam_gnome_keyring? This issue has been around for a while now.
AFAIK we have opened a bug.
*** This bug has been marked as a duplicate of bug 674193 ***