Bug 1034275

Summary: lots of AVC when using gpg-agent as a ssh-agent under staff_t
Product: [Fedora] Fedora Reporter: Michael S. <misc>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-116.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 07:08:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael S. 2013-11-25 14:16:55 UTC 
Following http://blog.habets.pp.se/2013/02/GPG-and-SSH-with-Yubikey-NEO
I tried to run this :
$ gpg-agent --enable-ssh-support --daemon ssh-add -l

but this generate this error message :

gpg-agent[6967]: failed to run the command: Permission non accordée

and 276 AVC.

271 are due to gpg-agent trying to access everything in /dev/ 

like this :

type=AVC msg=audit(1385388831.734:1954): avc:  denied  { getattr } for  pid=6967 comm="gpg-agent" path="/dev/tty60" dev="devtmpfs" ino=1101 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file


There 5 others are :
type=AVC msg=audit(1385388821.398:1745): avc:  denied  { execute } for  pid=6460 comm="gpg-agent" name="ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

type=AVC msg=audit(1385388821.398:1746): avc:  denied  { execute } for  pid=6460 comm="gpg-agent" name="ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

type=AVC msg=audit(1385388821.398:1747): avc:  denied  { signal } for  pid=6460 comm="gpg-agent" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1385388831.630:1788): avc:  denied  { getattr } for  pid=6967 comm="gpg-agent" path="/proc/kcore" dev="proc" ino=4026532032 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file

type=AVC msg=audit(1385388831.647:1926): avc:  denied  { getattr } for  pid=6967 comm="gpg-agent" path="/proc/kcore" dev="proc" ino=4026532032 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file

Setenforce 0 make the command work fine.
Comment 1 Daniel Walsh 2013-11-25 15:10:29 UTC 
8e6715385c9afc423b85024f9cd888051fc7852d fixes this in git.

With setenforce 0, did you get any additional AVC messages?
Comment 2 Michael S. 2013-11-25 15:24:48 UTC 
With setenforce 0, I have far less messages :

type=AVC msg=audit(1385393008.650:2649): avc:  denied  { execute } for  pid=13266 comm="gpg-agent" name="ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

type=AVC msg=audit(1385393008.650:2649): avc:  denied  { execute_no_trans } for  pid=13266 comm="gpg-agent" path="/usr/bin/ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

type=AVC msg=audit(1385393008.657:2650): avc:  denied  { read } for  pid=13266 
comm="ssh-add" name="openssl.cnf" dev="dm-2" ino=2229487 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file

type=AVC msg=audit(1385393008.657:2650): avc:  denied  { open } for  pid=13266 comm="ssh-add" path="/etc/pki/tls/openssl.cnf" dev="dm-2" ino=2229487 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file

type=AVC msg=audit(1385393008.657:2651): avc:  denied  { getattr } for  pid=13266 comm="ssh-add" path="/etc/pki/tls/openssl.cnf" dev="dm-2" ino=2229487 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file

I guess that's because it is not allowed to change the domain in the first place ?
Comment 3 Daniel Walsh 2013-11-25 15:38:40 UTC 
b49f963506f6e60e351123991eb3bfc8658c8baf also needed then
Comment 4 Fedora Update System 2014-01-13 22:54:22 UTC 
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 5 Fedora Update System 2014-01-15 05:55:59 UTC 
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-01-16 07:08:31 UTC 
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.