On Sat, 2006-07-15 at 09:50 -0700, Tom London wrote: > Running latest rawhide, targeted/enforcing. > > Notice the following in /var/log/audit/audit.log: > > type=AVC msg=audit(1152981861.606:20): avc: denied { search } for > pid=2505 comm="gdm-binary" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c255 > tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=key > type=SYSCALL msg=audit(1152981861.606:20): arch=40000003 syscall=288 > success=no exit=-13 a0=3 a1=292e05f8 a2=35ce48 a3=7ce759 items=0 > ppid=2471 pid=2505 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 > sgid=500 fsgid=0 tty=(none) comm="gdm-binary" > exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c255 > key=(null) > > type=AVC msg=audit(1152981872.490:26): avc: denied { write } for > pid=2804 comm="gdm-binary" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c255 > tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=key > type=SYSCALL msg=audit(1152981872.490:26): arch=40000003 syscall=288 > success=no exit=-13 a0=8 a1=fffffffc a2=fffffffd a3=1f4 items=0 > ppid=2471 pid=2804 auid=4294967295 uid=500 gid=500 euid=0 suid=0 > fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="gdm-binary" > exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c255 > key=(null) > > and > > type=AVC msg=audit(1152981908.300:32): avc: denied { write } for > pid=3037 comm="su" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=key > type=SYSCALL msg=audit(1152981908.300:32): arch=40000003 syscall=288 > success=no exit=-13 a0=8 a1=fffffffc a2=fffffffd a3=0 items=0 > ppid=2984 pid=3037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 > sgid=500 fsgid=500 tty=pts0 comm="su" exe="/bin/su" > subj=user_u:system_r:unconfined_t:s0 key=(null) > > Believe the second results from me entering 'su -'. This is caused by adding pam_keyinit.so to default configurations of gdm, su and other login services. It will also be added to /etc/pam.d/system-auth(-ac) so it will be called for all services calling pam_open_session. This module initializes the user's session keyring in kernel so that should be probably allowed. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list