Fixed
Created: Sep 25, 2013
Updated: Mar 11, 2016
Resolved Date: Nov 3, 2013
Found In Version: 5.0.1
Fix Version: 5.0.1.9
Severity: Severe
Applicable for: Wind River Linux 5
Component/s: Userspace
Selinux generates a denial when sshd tries to link the (newly created) session keyring into the user keyring:
type=AVC msg=audit(1380132590.110:14): avc: denied { link } for pid=3045 comm="sshd" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=key
type=SYSCALL msg=audit(1380132590.110:14): arch=c000003e syscall=250 success=yes exit=0 a0=8 a1=fffffffc a2=fffffffd a3=0 items=0 ppid=3041 pid=3045 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
For some reason, the new keyring is created with initrc_t type rather than the sshd_t type that sshd is already using in its credentials.
The key-setting code is in pam_keyinit. We run:
keyctl(KEYCTL_JOIN_SESSION_KEYRING, NULL);
keyctl(KEYCTL_LINK, KEY_SPEC_USER_KEYRING, KEY_SPEC_SESSION_KEYRING);
If I understand this stuff correctly, this code creates a new session keyring with default selinux context, then links the keyring into the user keyring. I don't understand why the default selinux context for the new keyring has initrc_t type, though.
A note: this bug only popped up after we installed the ssh module for selinux. I'm running my system in permissive mode so that I can track denials easily.
.../configure --enable-board=intel-xeon-core --enable-kernel=preempt-rt+xfs --enable-rootfs=ovp-ovirt-node+third-party-engine+gdb --enable-addons=wr-ovp ...
make all
make usb-image
boot the usb image on a node
log in using ssh
grep for ssh in /var/log/audit/audit.log
