gnome-keyring needs to be run from the user's context (eg staff_t) instead of xdm_t so pam_gnome_keyring.so needs to be after pam_selinux has opened the session. the following works great, i just moved the gnome_keyring futher down in the list. (this is only in the session part, the rest is fine) session optional pam_loginuid.so session required pam_selinux.so close verbose session required pam_env.so session optional pam_lastlog.so silent session include system-auth -session optional pam_ck_connector.so nox11 # gnome_keyring used to be here session required pam_selinux.so multiple open verbose session optional pam_motd.so motd=/etc/motd session optional pam_gnome_keyring.so auto_start session optional pam_mail.so the selinux policies have already been fixed this is the only part missing.
should be all set now in the tree; thanks for the report! Commit message: Move pam_gnome_keyring after pam_selinux http://sources.gentoo.org/sys-auth/pambase/pambase-20150213.ebuild?rev=1.1