Keyring authentication required with LUKS and automatic login

Ask Fedora
, , ,
11

Thank you for investigating it further.

I’ve also tried a clean install of Fedora 35 in a VM just now, with LUKS and GDM auto-login, and Gnome Keyring was unlocked successfully out of the box. So the feature exists.

However I’ve noticed some differences compared to my laptop, but couldn’t figure out yet how to fix it.

This is a journalctl snippet from the clean VM install:

Dec 30 14:23:51 clean-vm audit[1099]: AVC avc: denied { read } for pid=1099 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
Dec 30 14:23:51 clean-vm audit[1099]: AVC avc: denied { read } for pid=1099 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0

For some reason this error happens on a clean install, but does not happen on my laptop. So either gnome-session-worker doesn’t run at this point on the laptop or SELinux doesn’t block it.

On my laptop, this is what’s logged regarding authentication:

Dec 30 11:55:00 laptop audit[1437]: USER_AUTH pid=1437 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_permit acct="diogo" exe="/usr/libexec/gdm-session-worker" hostname=laptop addr=? terminal=/dev/tty1 res=success'
Dec 30 11:55:00 laptop audit[1437]: USER_ACCT pid=1437 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="diogo" exe="/usr/libexec/gdm-session-worker" hostname=laptop addr=? terminal=/dev/tty1 res=success'

While the clean VM install logs something different:

Dec 30 14:23:51 clean-vm gdm-autologin][1099]: gkr-pam: stashed password to try later in open session
...
Dec 30 14:23:51 clean-vm audit[1099]: USER_AUTH pid=1099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_gdm,pam_gnome_keyring,pam_permit acct="diogo" exe="/usr/libexec/gdm-session-worker" hostname=clean-vm addr=? terminal=/dev/tty1 res=success'
Dec 30 14:23:51 clean-vm audit[1099]: USER_ACCT pid=1099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="diogo" exe="/usr/libexec/gdm-session-worker" hostname=clean-vm addr=? terminal=/dev/tty1 res=success'

The clean VM install mentions stashed password, while my laptop does not.

And the clean VM install logs me in with the grantors pam_gdm,pam_gnome_keyring,pam_permit, while my laptop just says pam_permit.

The funny thing is that this laptop install is just a few days old, so I haven’t really tweaked it that much to make all those differences. I’ll keep digging and see if I can fix it. Thanks again.