Its not an actual answer but rather an idea based upon Dan's mail. What
if pam_keyring would be patched to supply the correct label? Just food
for thought
On 02/01/2015 02:00 PM, selinux-request(a)lists.fedoraproject.org wrote:
Send selinux mailing list submissions to
selinux(a)lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/selinux
or, via email, send a message with subject or body 'help' to
selinux-request(a)lists.fedoraproject.org
You can reach the person managing the list at
selinux-owner(a)lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."
Today's Topics:
1. Re: Issues with sshd writing to the kernel keyring
(Jason L Tibbitts III)
----------------------------------------------------------------------
Message: 1
Date: Sat, 31 Jan 2015 15:45:31 -0600
From: Jason L Tibbitts III <tibbs(a)math.uh.edu>
To: Daniel J Walsh <dwalsh(a)redhat.com>
Cc: selinux(a)lists.fedoraproject.org
Subject: Re: Issues with sshd writing to the kernel keyring
Message-ID: <ufay4oi1v5w.fsf(a)epithumia.math.uh.edu>
Content-Type: text/plain
>>>>> "DJW" == Daniel J Walsh <dwalsh(a)redhat.com> writes:
DJW> The labelling of the kernel keyring has never been handled
DJW> correctly. The keyring gets created with a label based on the
DJW> creating object then all sorts of other confined domains end up
DJW> using the same keyring.
Ah, that makes a lot of sense. I have managed to get around it by
restarting things, but knowing that whatever creates the keyring
specifies the label does explain what I'm seeing, including the rare
startup race.
Do you know if it's possible to somehow look at the kernel keyring and
see the labeling of things? /proc/keys doesn't tell me.
DJW> I would just allow the access. You should open a bug with
DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring.
I reopened the existing bug, which was on F20 (and seemingly solved
there) but which didn't get carried over to F21 somehow. That is
https://bugzilla.redhat.com/show_bug.cgi?id=1063827
I can open a new ticket if that would be better.
- J<
------------------------------
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
End of selinux Digest, Vol 132, Issue 1
***************************************