GNOME Bugzilla – Bug 484612
gnome-keyring-pam problems with selinux
Last modified: 2007-11-24 17:25:36 UTC
In Fedora, gdm runs in a limited context, and is not allowed to talk to processes in the unlimited user session. This means that having pam spawn the keyring daemon into the session and then talk to it via a socket is denied. So, we do start the daemon, but we neither create nor unlock the login keyring. We talked a bit to an selinux developer at redhat, and his proposal was to make the pam module not talk to the daemon via the socket, but instead spawn it with a special switch to make it unlock the login keyring (handing over the password on stdin). I have a patch that implements this in Fedora 8 that I will attach. I've tested it for login/logout in gdm, however I'm not sure how it will handle gnome-screensaver passwd. I'll check that.
Created attachment 96862 [details] [review] Initial work to make gkr-pam work with selinux
I'll look at this for inclusion after 2.20.1
Included for 2.21. I made a few changes: * Suppress SIGPIPE when writing password to daemon. * Use non-pageable memory in daemon when reading password, and cleanup in forked children. * Make started_daemon variable in module actually reflect whether it was started or not. * Support passwords longer that 256 chars. I tested it without SELinux, and it works, including gnome-screensaver and passwd. However you may want to give it a quick look to make sure I didn't screw something up that breaks when running under SELinux.