Re: Issues with sshd writing to the kernel keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/29/2015 09:34 PM, Jason L Tibbitts III wrote:
> I'm trying to get all of this fancy kerberized NFS stuff working and I'm
> having a problem where credential forwarding via ssh doesn't work due to
> selinux.  Running fully update Fedora 21
> (selinux-policy-targeted-3.13.1-103.fc21.noarch,
> kernel-3.18.3-201.fc21.x86_64) I get the following AVCs:
>
> time->Thu Jan 29 20:25:18 2015
> type=AVC msg=audit(1422584718.991:278): avc:  denied  { read } for
> pid=1272 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0
> ----
> time->Thu Jan 29 20:25:18 2015
> type=AVC msg=audit(1422584718.991:279): avc:  denied  { write } for
> pid=1272 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0
>
> And sshd logs a failure:
>
> Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: debug1: temporarily_use_uid: 7225/7225 (e=0/0)
> Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: debug1: ssh_krb5_cc_gen: Setting ccname to KEYRING:persistent:7225
> Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: krb5_cc_initialize(): Permission denied
> Jan 29 20:30:00 ld82.e.math.uh.edu sshd[1464]: debug1: restore_uid: 0/0
>
> I don't know what causes this; sometimes it just starts working randomly
> (and the AVCs go away).  I don't know if this is a bug or if I'm doing
> something wrong.  If I disable selinux (setenforce 0) it immediately
> starts working.
>
>  - J<
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
The labelling of the kernel keyring has never been handled correctly. 
The keyring gets created with a label based on the creating object then
all sorts of
other confined domains end up using the same keyring.  (Usually the
keyring is per UID (root for example))

I would just allow the access.  You should open a bug with
selinux-policy to allow sshd_t to write to the gssd_t
keyring.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux