Re: Issues with sshd writing to the kernel keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Its not an actual answer but rather an idea based upon Dan's mail. What
if pam_keyring would be patched to supply the correct label? Just food
for thought
On 02/01/2015 02:00 PM, selinux-request@xxxxxxxxxxxxxxxxxxxxxxx wrote:
> Send selinux mailing list submissions to
> 	selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> 	selinux-request@xxxxxxxxxxxxxxxxxxxxxxx
>
> You can reach the person managing the list at
> 	selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
>
>
> Today's Topics:
>
>    1. Re: Issues with sshd writing to the kernel keyring
>       (Jason L Tibbitts III)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 31 Jan 2015 15:45:31 -0600
> From: Jason L Tibbitts III <tibbs@xxxxxxxxxxx>
> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: Issues with sshd writing to the kernel keyring
> Message-ID: <ufay4oi1v5w.fsf@xxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain
>
>>>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes:
> DJW> The labelling of the kernel keyring has never been handled
> DJW> correctly.  The keyring gets created with a label based on the
> DJW> creating object then all sorts of other confined domains end up
> DJW> using the same keyring.
>
> Ah, that makes a lot of sense.  I have managed to get around it by
> restarting things, but knowing that whatever creates the keyring
> specifies the label does explain what I'm seeing, including the rare
> startup race.
>
> Do you know if it's possible to somehow look at the kernel keyring and
> see the labeling of things?  /proc/keys doesn't tell me.
>
> DJW> I would just allow the access.  You should open a bug with
> DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring.
>
> I reopened the existing bug, which was on F20 (and seemingly solved
> there) but which didn't get carried over to F21 somehow.  That is
> https://bugzilla.redhat.com/show_bug.cgi?id=1063827
>
> I can open a new ticket if that would be better.
>
>  - J<
>
>
> ------------------------------
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> End of selinux Digest, Vol 132, Issue 1
> ***************************************

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux