Bug 526629

Summary: (selinux-policy) channel: GPG validation failed, channel failed
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: spamassassinAssignee: Warren Togami <wtogami>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, kevin, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-07 16:52:09 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 473303    

Description Nicolas Mailhot 2009-10-01 02:13:55 EDT
Description of problem:

pg: failed to create temporary file
Permission denied
gpg: can't allocate lock for `/etc/mail/spamassassin/sa-update-keys/pubring.gpg'
gpg: failed to create temporary file
Permission denied
gpg: can't allocate lock for `/etc/mail/spamassassin/sa-update-keys/secring.gpg'
gpg: error writing keyring
`/etc/mail/spamassassin/sa-update-keys/pubring.gpg': general error
gpg: error reading `/usr/share/spamassassin/sought-pubkey.txt': general error
gpg: import from `/usr/share/spamassassin/sought-pubkey.txt' failed: general
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768
gpg: fatal: can't create lock for
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
channel: GPG validation failed, channel failed
error: GPG validation failed!
The update downloaded successfully, but it was not signed with a trusted GPG
key.  Instead, it was signed with the following keys:


Perhaps you need to import the channel's GPG key?  For example:

    wget http://spamassassin.apache.org/updates/GPG.KEY
    sa-update --import GPG.KEY

channel: GPG validation failed, channel failed

Probably related to


SELinux is preventing /usr/bin/gpg "write" access on

Description détaillée:

SELinux denied access requested by gpg. It is not expected that this access is
required by gpg and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug

Informations complémentaires:

Contexte source               system_u:system_r:gpg_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:etc_mail_t:s0
Objets du contexte            /etc/mail/spamassassin/sa-update-keys [ dir ]
source                        gpg
Chemin de la source           /usr/bin/gpg
Port                          <Inconnu>
Hôte                         arekh.okg
Paquetages RPM source         gnupg-1.4.10-1.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-13.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                
Plateforme                    Linux #1 SMP Tue
                              Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Compteur d'alertes            3
Première alerte              jeu. 01 oct. 2009 04:28:03 CEST
Dernière alerte              jeu. 01 oct. 2009 04:28:09 CEST
ID local                      3def77ec-3bbc-4778-bb93-50febd56e1d0
Numéros des lignes           

Messages d'audit bruts        

node=arekh.okg type=AVC msg=audit(1254364089.670:1022): avc:  denied  { write } for  pid=4415 comm="gpg" name="sa-update-keys" dev=dm-3 ino=286761 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir

node=arekh.okg type=SYSCALL msg=audit(1254364089.670:1022): arch=c000003e syscall=2 success=no exit=-13 a0=7fe2230e4530 a1=c1 a2=1a4 a3=fffffff7 items=0 ppid=4405 pid=4415 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=26 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):


Please work with the selinux guys so sa works as-is on a vanilla F12 system
Comment 1 Warren Togami 2009-10-07 14:59:51 EDT
node=newcaprica type=AVC msg=audit(1254941811.496:71): avc: denied { write } for pid=12898 comm="gpg" name="sa-update-keys" dev=sda1 ino=589853 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir node=newcaprica type=SYSCALL msg=audit(1254941811.496:71): arch=c000003e syscall=2 success=no exit=-13 a0=b83bc0 a1=c1 a2=1a4 a3=fffffff6 items=0 ppid=12875 pid=12898 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gpg" exe="/usr/bin/gpg2" subj=system_u:system_r:gpg_t:s0-s0:c0.c1023 key=(null) 

Please also be sure that /usr/bin/gpg2 is allowed to do this in addition to /usr/bin/gpg.  There is a separate proposal to get rid of gnupg and ship only gnupg2.
Comment 2 Daniel Walsh 2009-10-07 16:52:09 EDT
		Fixed in selinux-policy-3.6.32-22.fc12.noarch