Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > Ah, wait - this is an automatic allocation of a per-uid keyring upon a > setuid() call, right? Maybe that's the solution: Don't automatically allocate the per-UID keyrings until someone tries to link to one or put something into one. Searching the keyrings won't create them - there's no point as they'd be empty anyway. The pam_keyinit module could then be made to take a "nouser" argument that would tell it to avoid making the link from the session keyring it creates to the user keyring (or conversely a "user" argument that tells it to create the link). That way I can arrange for only login processes (login, ssh, kdm, gdm, telnet, etc) to use the per-UID keyrings. Things such as dovecot wouldn't then use it and so wouldn't create it. David -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
