Issues with sshd writing to the kernel keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm trying to get all of this fancy kerberized NFS stuff working and I'm
having a problem where credential forwarding via ssh doesn't work due to
selinux.  Running fully update Fedora 21
(selinux-policy-targeted-3.13.1-103.fc21.noarch,
kernel-3.18.3-201.fc21.x86_64) I get the following AVCs:

time->Thu Jan 29 20:25:18 2015
type=AVC msg=audit(1422584718.991:278): avc:  denied  { read } for
pid=1272 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0
----
time->Thu Jan 29 20:25:18 2015
type=AVC msg=audit(1422584718.991:279): avc:  denied  { write } for
pid=1272 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0

And sshd logs a failure:

Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: debug1: temporarily_use_uid: 7225/7225 (e=0/0)
Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: debug1: ssh_krb5_cc_gen: Setting ccname to KEYRING:persistent:7225
Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: krb5_cc_initialize(): Permission denied
Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: debug1: restore_uid: 0/0

I don't know what causes this; sometimes it just starts working randomly
(and the AVCs go away).  I don't know if this is a bug or if I'm doing
something wrong.  If I disable selinux (setenforce 0) it immediately
starts working.

 - J<
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux