Description of problem: The ssh-keysign binary is setuid because it needs to read the system's sshd private keys /etc/ssh/ssh_host_[dr]sa_key. It opens them and immediately drops to the original uid. It reads /etc/ssh/ssh_config for options. Then it reads the data which should be signed from STDIN and gets addres/name of a socket it inherited. Then it verifies that the data passed to it are correct and signs them (using /dev/random through OpenSSL). The result is written to stdout. To protect against revealing the ssh keys the selinux policy should be created. It was suggested to me by Jakub.
Added policy to handle this in selinux-policy-strict-1.23.5-2 Not really sure how to test it though.