Its not an actual answer but rather an idea based upon Dan's mail. What if pam_keyring would be patched to supply the correct label? Just food for thought On 02/01/2015 02:00 PM, selinux-request@xxxxxxxxxxxxxxxxxxxxxxx wrote: > Send selinux mailing list submissions to > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://admin.fedoraproject.org/mailman/listinfo/selinux > or, via email, send a message with subject or body 'help' to > selinux-request@xxxxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of selinux digest..." > > > Today's Topics: > > 1. Re: Issues with sshd writing to the kernel keyring > (Jason L Tibbitts III) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 31 Jan 2015 15:45:31 -0600 > From: Jason L Tibbitts III <tibbs@xxxxxxxxxxx> > To: Daniel J Walsh <dwalsh@xxxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Subject: Re: Issues with sshd writing to the kernel keyring > Message-ID: <ufay4oi1v5w.fsf@xxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain > >>>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes: > DJW> The labelling of the kernel keyring has never been handled > DJW> correctly. The keyring gets created with a label based on the > DJW> creating object then all sorts of other confined domains end up > DJW> using the same keyring. > > Ah, that makes a lot of sense. I have managed to get around it by > restarting things, but knowing that whatever creates the keyring > specifies the label does explain what I'm seeing, including the rare > startup race. > > Do you know if it's possible to somehow look at the kernel keyring and > see the labeling of things? /proc/keys doesn't tell me. > > DJW> I would just allow the access. You should open a bug with > DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring. > > I reopened the existing bug, which was on F20 (and seemingly solved > there) but which didn't get carried over to F21 somehow. That is > https://bugzilla.redhat.com/show_bug.cgi?id=1063827 > > I can open a new ticket if that would be better. > > - J< > > > ------------------------------ > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > End of selinux Digest, Vol 132, Issue 1 > *************************************** -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
