What if there would exist a central module responsible for handling the keyrings? It could expose a netlink socket or a dbus interface, or tcp socket(most likely since there is network authentication with ipa/kerberos) for various like login,sssd or kerberos to subscribe/communicate and get notified about events and then create the keyrings with a context? Well thats definitely not selinux'ish strictly speaking but a more general problem. On 02/02/2015 07:10 PM, Daniel J Walsh wrote: > On 02/01/2015 06:50 AM, George Karakougioumtzis wrote: >> Its not an actual answer but rather an idea based upon Dan's mail. What >> if pam_keyring would be patched to supply the correct label? Just food >> for thought > pam_keyring supplies the keyring of the logged in user, but in several cases > we have other entities creating keyrings, like sssd, or services like > gssd. > If the keyring is a UID based keyring, it does not necessarily follow > SELinux > rules. Can I have multiple uid=0 keyrings which are separated? We are > havin > major problems with containers and the keyring. Where we basically want a > separate keyring for each container even if the containers are all > running with the > same UID. >> On 02/01/2015 02:00 PM, selinux-request@xxxxxxxxxxxxxxxxxxxxxxx wrote: >>> Send selinux mailing list submissions to >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> or, via email, send a message with subject or body 'help' to >>> selinux-request@xxxxxxxxxxxxxxxxxxxxxxx >>> >>> You can reach the person managing the list at >>> selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of selinux digest..." >>> >>> >>> Today's Topics: >>> >>> 1. Re: Issues with sshd writing to the kernel keyring >>> (Jason L Tibbitts III) >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Sat, 31 Jan 2015 15:45:31 -0600 >>> From: Jason L Tibbitts III <tibbs@xxxxxxxxxxx> >>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx> >>> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> Subject: Re: Issues with sshd writing to the kernel keyring >>> Message-ID: <ufay4oi1v5w.fsf@xxxxxxxxxxxxxxxxxxxxx> >>> Content-Type: text/plain >>> >>>>>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes: >>> DJW> The labelling of the kernel keyring has never been handled >>> DJW> correctly. The keyring gets created with a label based on the >>> DJW> creating object then all sorts of other confined domains end up >>> DJW> using the same keyring. >>> >>> Ah, that makes a lot of sense. I have managed to get around it by >>> restarting things, but knowing that whatever creates the keyring >>> specifies the label does explain what I'm seeing, including the rare >>> startup race. >>> >>> Do you know if it's possible to somehow look at the kernel keyring and >>> see the labeling of things? /proc/keys doesn't tell me. >>> >>> DJW> I would just allow the access. You should open a bug with >>> DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring. >>> >>> I reopened the existing bug, which was on F20 (and seemingly solved >>> there) but which didn't get carried over to F21 somehow. That is >>> https://bugzilla.redhat.com/show_bug.cgi?id=1063827 >>> >>> I can open a new ticket if that would be better. >>> >>> - J< >>> >>> >>> ------------------------------ >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> End of selinux Digest, Vol 132, Issue 1 >>> *************************************** >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
