Re: gnome-keyring-daemon and ~/keyrings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> Running latest Rawhide, targeted enforcing.
>
> Notice this:
>
> type=AVC msg=audit(1187879289.771:16): avc: denied { write } for
> pid=3165 comm="gnome-keyring-d" name="keyrings" dev=dm-0 ino=131089
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:user_gnome_home_t:s0 tclass=dir
> type=SYSCALL msg=audit(1187879289.771:16): arch=40000003 syscall=5
> success=no exit=-13 a0=9c7ea68 a1=80c2 a2=180 a3=80c2 items=0 ppid=1
> pid=3165 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-keyring-d"
> exe="/usr/bin/gnome-keyring-daemon"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
> But 'ps agxZ | grep key' shows:
>
> [root@localhost lib]# ps agxZ | grep key
> system_u:system_r:unconfined_t 3150 ? S 0:00
> /usr/bin/gnome-keyring-daemon
> system_u:system_r:unconfined_t 3971 pts/0 S+ 0:00 grep key
> [root@localhost lib]#
>
> pid in AVC says '3165', not 3150, so .....
>
> What could this be? Leaked fd?
>
> tom

I think this a new program that unlocks the gnome-keyring at login, so you don't need a secondary login. Probably this pam module should be after selinux context is set.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGztNDrlYvE4MpobMRAvXEAJ9Cxh+Ca1SpQYQdndpLHeZeU1dHbwCeN32C Q3PCcuPC2MOXMC7qARzriNw=
=F7wq
-----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

• This message: [ Message body ]
• Next message: Daniel J Walsh: "Re: A tool to generate missing requires for a SELinux module?"
• Previous message: Daniel J Walsh: "Re: mixer_applet2 and execmod ?!"
• In reply to: Tom London: "gnome-keyring-daemon and ~/keyrings"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]