Bug 1176711
| Summary: | SELinux is preventing gpg-agent from 'create' accesses on the file .gpg-agent-info. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Cesar Eduardo Barros <cesarb> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 21 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, rdieter |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:816453f390c4abe572c99b3efc22479adee68fb4ad1c972e82676d1baa31af7f | ||
| Fixed In Version: | selinux-policy-3.13.1-105.fc21 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-30 23:55:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If você deseja allow gpg to agent env file Then você deve informar o SELinux sobre isso habilitando o booleano 'gpg_agent_env_file'. Você pode ler a man page 'None' para mais detalhes. Do setsebool -P gpg_agent_env_file 1 (In reply to Daniel Walsh from comment #1) > ***** Plugin catchall_boolean (89.3 confidence) suggests > ****************** > > If você deseja allow gpg to agent env file > Then você deve informar o SELinux sobre isso habilitando o booleano > 'gpg_agent_env_file'. > Você pode ler a man page 'None' para mais detalhes. > Do > setsebool -P gpg_agent_env_file 1 I didn't do anything out of the ordinary to get this setroubleshoot report; I just logged into a KDE session for a user_u user. IMHO, logging in as a user_u user shouldn't trigger any setroubleshoot warnings in the default configuration. I took a look at https://github.com/TresysTechnology/refpolicy-contrib/blob/master/gpg.te, and this boolean seems to allow full access to the user home directory. However, looking at an unconfined_u user in the same machine, gpg-agent merely wants to create /run/user/<pid>/.gpg-agent-info; the boolean has a much wider effect than would be necessary. I believe creating /run/user/<pid>/.gpg-agent-info by gpg-agent could be allowed by default, while the boolean could be left for when the user wants to create that file anywhere else. If there's a good reason why creating /run/user/<pid>/.gpg-agent-info by gpg-agent as user_u should be forbidden by default, it at least should be silent. Yes I agree this should be allowed by default. commit 6e1ea4e6bcc1156d8ae943d6648ca11a5e455541
Author: Lukas Vrabec <lvrabec>
Date: Thu Jan 15 15:28:10 2015 +0100
Remove boolean gpg_agent_env_file
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21 Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Logging into a KDE session as an user_u user. SELinux is preventing gpg-agent from 'create' accesses on the file .gpg-agent-info. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If você deseja allow gpg to agent env file Then você deve informar o SELinux sobre isso habilitando o booleano 'gpg_agent_env_file'. Você pode ler a man page 'None' para mais detalhes. Do setsebool -P gpg_agent_env_file 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If você acredita que o gpg-agent deva ser permitido acesso de create em .gpg-agent-info file por default. Then você precisa reportar este como um erro. Você pode gerar um módulo de política local para permitir este acesso. Do permitir este acesso agora executando: # grep gpg-agent /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context user_u:user_r:gpg_agent_t:s0 Target Context user_u:object_r:user_tmp_t:s0 Target Objects .gpg-agent-info [ file ] Source gpg-agent Source Path gpg-agent Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-12-22 19:23:05 BRST Last Seen 2014-12-22 19:26:42 BRST Local ID f42c6108-69fe-479f-ade2-4a32cb9c2270 Raw Audit Messages type=AVC msg=audit(1419283602.749:575): avc: denied { create } for pid=3405 comm="gpg-agent" name=".gpg-agent-info" scontext=user_u:user_r:gpg_agent_t:s0 tcontext=user_u:object_r:user_tmp_t:s0 tclass=file permissive=0 Hash: gpg-agent,gpg_agent_t,user_tmp_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.7-300.fc21.x86_64 type: libreport Potential duplicate: bug 1139057