Running latest Rawhide, targeted enforcing.
Notice this:
type=AVC msg=audit(1187879289.771:16): avc: denied { write } for pid=3165 comm="gnome-keyring-d" name="keyrings" dev=dm-0 ino=131089 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_gnome_home_t:s0 tclass=dir type=SYSCALL msg=audit(1187879289.771:16): arch=40000003 syscall=5 success=no exit=-13 a0=9c7ea68 a1=80c2 a2=180 a3=80c2 items=0 ppid=1 pid=3165 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
But 'ps agxZ | grep key' shows:
[root@localhost lib]# ps agxZ | grep key system_u:system_r:unconfined_t 3150 ? S 0:00 /usr/bin/gnome-keyring-daemon system_u:system_r:unconfined_t 3971 pts/0 S+ 0:00 grep key [root@localhost lib]#
pid in AVC says '3165', not 3150, so .....
What could this be? Leaked fd?
tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
Running latest Rawhide, targeted enforcing.
Notice this:
type=AVC msg=audit(1187879289.771:16): avc: denied { write } for pid=3165 comm="gnome-keyring-d" name="keyrings" dev=dm-0 ino=131089 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_gnome_home_t:s0 tclass=dir type=SYSCALL msg=audit(1187879289.771:16): arch=40000003 syscall=5 success=no exit=-13 a0=9c7ea68 a1=80c2 a2=180 a3=80c2 items=0 ppid=1 pid=3165 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
But 'ps agxZ | grep key' shows:
[root@localhost lib]# ps agxZ | grep key system_u:system_r:unconfined_t 3150 ? S 0:00 /usr/bin/gnome-keyring-daemon system_u:system_r:unconfined_t 3971 pts/0 S+ 0:00 grep key [root@localhost lib]#
pid in AVC says '3165', not 3150, so .....
What could this be? Leaked fd?
tom
I think this a new program that unlocks the gnome-keyring at login, so you don't need a secondary login. Probably this pam module should be after selinux context is set.
selinux@lists.fedoraproject.org