On 02/01/2015 06:50 AM, George Karakougioumtzis wrote: > Its not an actual answer but rather an idea based upon Dan's mail. What > if pam_keyring would be patched to supply the correct label? Just food > for thought pam_keyring supplies the keyring of the logged in user, but in several cases we have other entities creating keyrings, like sssd, or services like gssd. If the keyring is a UID based keyring, it does not necessarily follow SELinux rules. Can I have multiple uid=0 keyrings which are separated? We are havin major problems with containers and the keyring. Where we basically want a separate keyring for each container even if the containers are all running with the same UID. > On 02/01/2015 02:00 PM, selinux-request@xxxxxxxxxxxxxxxxxxxxxxx wrote: >> Send selinux mailing list submissions to >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> or, via email, send a message with subject or body 'help' to >> selinux-request@xxxxxxxxxxxxxxxxxxxxxxx >> >> You can reach the person managing the list at >> selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of selinux digest..." >> >> >> Today's Topics: >> >> 1. Re: Issues with sshd writing to the kernel keyring >> (Jason L Tibbitts III) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sat, 31 Jan 2015 15:45:31 -0600 >> From: Jason L Tibbitts III <tibbs@xxxxxxxxxxx> >> To: Daniel J Walsh <dwalsh@xxxxxxxxxx> >> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx >> Subject: Re: Issues with sshd writing to the kernel keyring >> Message-ID: <ufay4oi1v5w.fsf@xxxxxxxxxxxxxxxxxxxxx> >> Content-Type: text/plain >> >>>>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes: >> DJW> The labelling of the kernel keyring has never been handled >> DJW> correctly. The keyring gets created with a label based on the >> DJW> creating object then all sorts of other confined domains end up >> DJW> using the same keyring. >> >> Ah, that makes a lot of sense. I have managed to get around it by >> restarting things, but knowing that whatever creates the keyring >> specifies the label does explain what I'm seeing, including the rare >> startup race. >> >> Do you know if it's possible to somehow look at the kernel keyring and >> see the labeling of things? /proc/keys doesn't tell me. >> >> DJW> I would just allow the access. You should open a bug with >> DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring. >> >> I reopened the existing bug, which was on F20 (and seemingly solved >> there) but which didn't get carried over to F21 somehow. That is >> https://bugzilla.redhat.com/show_bug.cgi?id=1063827 >> >> I can open a new ticket if that would be better. >> >> - J< >> >> >> ------------------------------ >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> End of selinux Digest, Vol 132, Issue 1 >> *************************************** > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
