Issues with sshd writing to the kernel keyring
Jason L Tibbitts III
tibbs at math.uh.edu
Sat Jan 31 21:45:31 UTC 2015
>>>>> "DJW" == Daniel J Walsh <dwalsh at redhat.com> writes:
DJW> The labelling of the kernel keyring has never been handled
DJW> correctly. The keyring gets created with a label based on the
DJW> creating object then all sorts of other confined domains end up
DJW> using the same keyring.
Ah, that makes a lot of sense. I have managed to get around it by
restarting things, but knowing that whatever creates the keyring
specifies the label does explain what I'm seeing, including the rare
startup race.
Do you know if it's possible to somehow look at the kernel keyring and
see the labeling of things? /proc/keys doesn't tell me.
DJW> I would just allow the access. You should open a bug with
DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring.
I reopened the existing bug, which was on F20 (and seemingly solved
there) but which didn't get carried over to F21 somehow. That is
https://bugzilla.redhat.com/show_bug.cgi?id=1063827
I can open a new ticket if that would be better.
- J<
More information about the selinux
mailing list