>>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes: DJW> The labelling of the kernel keyring has never been handled DJW> correctly. The keyring gets created with a label based on the DJW> creating object then all sorts of other confined domains end up DJW> using the same keyring. Ah, that makes a lot of sense. I have managed to get around it by restarting things, but knowing that whatever creates the keyring specifies the label does explain what I'm seeing, including the rare startup race. Do you know if it's possible to somehow look at the kernel keyring and see the labeling of things? /proc/keys doesn't tell me. DJW> I would just allow the access. You should open a bug with DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring. I reopened the existing bug, which was on F20 (and seemingly solved there) but which didn't get carried over to F21 somehow. That is https://bugzilla.redhat.com/show_bug.cgi?id=1063827 I can open a new ticket if that would be better. - J< -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
