Issues with sshd writing to the kernel keyring
George Karakougioumtzis
mad-proffessor at hotmail.com
Sun Feb 1 11:50:23 UTC 2015
Its not an actual answer but rather an idea based upon Dan's mail. What
if pam_keyring would be patched to supply the correct label? Just food
for thought
On 02/01/2015 02:00 PM, selinux-request at lists.fedoraproject.org wrote:
> Send selinux mailing list submissions to
> selinux at lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> selinux-request at lists.fedoraproject.org
>
> You can reach the person managing the list at
> selinux-owner at lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
>
>
> Today's Topics:
>
> 1. Re: Issues with sshd writing to the kernel keyring
> (Jason L Tibbitts III)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 31 Jan 2015 15:45:31 -0600
> From: Jason L Tibbitts III <tibbs at math.uh.edu>
> To: Daniel J Walsh <dwalsh at redhat.com>
> Cc: selinux at lists.fedoraproject.org
> Subject: Re: Issues with sshd writing to the kernel keyring
> Message-ID: <ufay4oi1v5w.fsf at epithumia.math.uh.edu>
> Content-Type: text/plain
>
>>>>>> "DJW" == Daniel J Walsh <dwalsh at redhat.com> writes:
> DJW> The labelling of the kernel keyring has never been handled
> DJW> correctly. The keyring gets created with a label based on the
> DJW> creating object then all sorts of other confined domains end up
> DJW> using the same keyring.
>
> Ah, that makes a lot of sense. I have managed to get around it by
> restarting things, but knowing that whatever creates the keyring
> specifies the label does explain what I'm seeing, including the rare
> startup race.
>
> Do you know if it's possible to somehow look at the kernel keyring and
> see the labeling of things? /proc/keys doesn't tell me.
>
> DJW> I would just allow the access. You should open a bug with
> DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring.
>
> I reopened the existing bug, which was on F20 (and seemingly solved
> there) but which didn't get carried over to F21 somehow. That is
> https://bugzilla.redhat.com/show_bug.cgi?id=1063827
>
> I can open a new ticket if that would be better.
>
> - J<
>
>
> ------------------------------
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> End of selinux Digest, Vol 132, Issue 1
> ***************************************
More information about the selinux
mailing list