Bug 476978

Summary: (staff_u) SELinux prevented gpgkeys_hkp from using the terminal 2
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, jkubin, mcepl, mgrepl, nalin, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 10:38:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2008-12-18 12:33:34 UTC
Whenever I run gpg --search-key (or the equivalent is run by seahorse), I get this. I don't think that this should be banned.

-----------------------
SELinux prevented gpgkeys_hkp from using the terminal 2.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux prevented gpgkeys_hkp from using the terminal 2. In most cases daemons
do not need to interact with the terminal, usually these avc messages can be
ignored. All of the confined daemons should have dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy.
If you would like to allow all daemons to interact with the terminal, you can
turn on the allow_daemons_use_tty boolean.

Povolení přístupu:

Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

Příkaz pro opravu:

setsebool -P allow_daemons_use_tty=1

Další informace:

Kontext zdroje                staff_u:staff_r:gpg_helper_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:object_r:staff_devpts_t
Objekty cíle                 2 [ chr_file ]
Zdroj                         gpgkeys_hkp
Cesta zdroje                  /usr/lib/gnupg/gpgkeys_hkp
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          gnupg-1.4.9-4.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-34.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     allow_daemons_use_tty
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           3
Poprvé viděno               Čt 18. prosinec 2008, 12:37:38 CET
Naposledy viděno             Čt 18. prosinec 2008, 12:42:23 CET
Místní ID                   c55d4c0b-b0aa-4ea1-b5b1-6e5ccc3609e9
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1229600543.197:2604): avc:  denied  { read write } for  pid=32114 comm="gpgkeys_hkp" name="2" dev=devpts ino=4 scontext=staff_u:staff_r:gpg_helper_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:staff_devpts_t:s0 tclass=chr_file

node=viklef type=SYSCALL msg=audit(1229600543.197:2604): arch=40000003 syscall=11 success=yes exit=0 a0=b897c888 a1=bffd228c a2=bffd3a1c a3=1 items=0 ppid=32113 pid=32114 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=2 comm="gpgkeys_hkp" exe="/usr/lib/gnupg/gpgkeys_hkp" subj=staff_u:staff_r:gpg_helper_t:s0-s0:c0.c1023 key=(null)

Comment 1 Rex Dieter 2008-12-18 13:01:47 UTC
reassigning to selinux-policy per instructions.

Comment 2 Daniel Walsh 2008-12-18 15:34:44 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-35.fc10

Comment 3 Bug Zapper 2009-11-18 10:30:21 UTC
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping