I think the placement of the pam_keyinit.so in the pam files is incorrect?

Daniel J Walsh dwalsh at redhat.com
Thu Dec 6 15:33:27 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't fully understand how you intend to use keying, but I have talked
to Nalin about this, since he is about to allow or does allow the
storing of the kerberos tgt in a kernel keyring.

Currently pam_keyinit is happening in system-auth as well as most of the
 login pam modules.

SELinux comes into play here, since we want to make sure the context on
the keyring is set correctly.  "pam_selinux open" sets the kernel to
label the keyring with the users context, but in several places
pam_keyinit is being called before pam_selinux (system-auth) is the
culprit.

This results in us having kernel keyrings labeled local_login_t or
sshd_t.  Which is wrong.  They should be labeled user_t or unconfined_t.

So I would suggest that we remove pam_keyinit from system_auth and only
use it in login pam modules which call it after pam_selinux open.

Now the next question is whether it should be called in su or sudo?
Since wouldn't this remove access to my keying material?

su and sudo do not call pam_selinux open, so it will not setup a
labeling for pam_keyinit, and the keys will get created as user_sudo_t
or user_su_t for example.  At this point what access is expected by the
user for these keyrings?  Would you expect the keyrings to be labeled
kernel_t, or should we remove the pam_keyinit from su and sudo, leaving
access to the login keyrings.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHWBZHrlYvE4MpobMRApEUAJ9bBY9we50xJQpLAvNdIyKNrfNXrACg4qzm
Rc3m/LwuNZ9f9zO5y1OsJM8=
=CqG0
-----END PGP SIGNATURE-----




More information about the fedora-devel-list mailing list