Description of problem:
insights-client validates the GPG signatures of files by running `gpg`; this causes some SELinux denials:
audit: type=1400 audit(1650615650.790:4): avc: denied { read } for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.810:5): avc: denied { read } for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:6): avc: denied { getattr } for pid=22197 comm="gpg" path="/root/.gnupg/trustdb.gpg" dev="vda4" ino=16799856 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:7): avc: denied { write } for pid=22197 comm="gpg" name=".gnupg" dev="vda4" ino=16798004 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=0
`gpg` tries to create its own homedir (~/.gnupg by default): this of course fails in case insights-client is invoked not manually, but e.g. by cockpit (from the subscription-manager plugin) or as systemd service.
Possible solutions to avoid this:
- create a temporary directory for `gpg`, and pass it with `--homedir` to all the `gpg` invocations
- use a Python library for validating signatures -- python3-gpg, i.e. the Python binding of GPGME [1], seems a potential good candidate, as it is already shipped in BaseOS (even in RHEL 8)
[1] https://gnupg.org/software/gpgme/index.html
Version-Release number of selected component (if applicable):
insights-client-3.1.7-8.el9.noarch
Description of problem: insights-client validates the GPG signatures of files by running `gpg`; this causes some SELinux denials: audit: type=1400 audit(1650615650.790:4): avc: denied { read } for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0 audit: type=1400 audit(1650615650.810:5): avc: denied { read } for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0 audit: type=1400 audit(1650615650.843:6): avc: denied { getattr } for pid=22197 comm="gpg" path="/root/.gnupg/trustdb.gpg" dev="vda4" ino=16799856 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0 audit: type=1400 audit(1650615650.843:7): avc: denied { write } for pid=22197 comm="gpg" name=".gnupg" dev="vda4" ino=16798004 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=0 `gpg` tries to create its own homedir (~/.gnupg by default): this of course fails in case insights-client is invoked not manually, but e.g. by cockpit (from the subscription-manager plugin) or as systemd service. Possible solutions to avoid this: - create a temporary directory for `gpg`, and pass it with `--homedir` to all the `gpg` invocations - use a Python library for validating signatures -- python3-gpg, i.e. the Python binding of GPGME [1], seems a potential good candidate, as it is already shipped in BaseOS (even in RHEL 8) [1] https://gnupg.org/software/gpgme/index.html Version-Release number of selected component (if applicable): insights-client-3.1.7-8.el9.noarch