Hi,

pam_keyinit.so has been integrated in GDM PAM stack (bsc#1081947 comment #35)
and therefore I expect to get a fresh session keyring after logging in with
GDM.

But for some reasons it still doesn't happen on my setup (TW snapshot
20190310):

  fbui@linux-u19k:~> keyctl show  @s
  Keyring
   191591746 --alswrv   1000 65534  keyring: _uid_ses.1000
   436165832 --alswrv   1000 65534   \_ keyring: _uid.1000
   989285180 --alswrv   1000   100       \_ user: 6967d0c28476ffa1
   409630110 --alswrv   1000   100       \_ user: 253ca7e88811d184

As it can be seen, I'm still using the per-user default session keyring
instead.

Just to make sure I checked the content of the GDM PAM config files:

  # grep pam_keyinit /etc/pam.d/gdm*
  /etc/pam.d/gdm:session  optional       pam_keyinit.so force revoke debug
  /etc/pam.d/gdm-autologin:session  optional       pam_keyinit.so force revoke
  /etc/pam.d/gdm-launch-environment:session  optional       pam_keyinit.so
force revoke
  /etc/pam.d/gdm-password:session  optional       pam_keyinit.so force revoke
debug

  # rpm -qf /etc/pam.d/gdm
  gdm-3.28.2-4.3.x86_64