Bug 895610

Summary: Deja-dup cannot execute gpg
Product: [Fedora] Fedora Reporter: Ruslan Sagitov <rs>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-12 05:09:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC1
none
AVC2 none

Description Ruslan Sagitov 2013-01-15 16:22:08 UTC 
Description of problem:

Deja-dup is a small utility from GNOME, which backs up data. One of the features of Deja-dup is to encrypt data before storing it on remote location. Encryption is done via GPG (GNU Privacy Guard) with user’s private key.

SELinux fires two AVCs when encrypting:
 1. Preventing ssh-agent to read from .local/share/keystore (gnome-keyring, a place where a passphrase for the private key is stored)
 2. Preventing gpg to write to .cache (a cache directory, which Deja-dup chose)

It’s much safer to allow Deja-dup to encrypt data before storing it on remote location, you know.

Version-Release number of selected component (if applicable):

Fedora 17.

selinux-policy-3.10.0-166.fc17.noarch
selinux-policy-targeted-3.10.0-166.fc17.noarch

Expected results:

No AVC denials on backing up.

Additional info:

 * Switch to staff_u:staff_r before.

AVC (first):

type=AVC msg=audit(1358265127.922:158): avc:  denied  { read } for  pid=2611 comm="ssh-agent" name="keystore" dev="sda5" ino=7865252 scontext=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:data_home_t:s0 tclass=dir

type=SYSCALL msg=audit(1358265127.922:158): arch=i386 syscall=openat success=yes exit=EEXIST a0=ffffff9c a1=8c39f18 a2=98800 a3=0 items=0 ppid=1 pid=2611 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=ssh-agent exe=/usr/bin/gnome-keyring-daemon subj=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 key=(null)

AVC (second):

type=AVC msg=audit(1358265217.730:160): avc:  denied  { write } for  pid=2827 comm="gpg" path="/home/ruslansagitov/.cache/deja-dup/1463af8dcef0b6b3cc2eb4826bd73b82/duplicity-_K4iZu-tempdir/mktemp-i3M5JC-1" dev="sda5" ino=10617244 scontext=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:cache_home_t:s0 tclass=file

type=SYSCALL msg=audit(1358265217.730:160): arch=i386 syscall=execve success=yes exit=0 a0=9bd64e0 a1=9a238b0 a2=9850810 a3=9a238e0 items=0 ppid=2726 pid=2827 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=gpg exe=/usr/bin/gpg subj=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 key=(null)
Comment 1 Ruslan Sagitov 2013-01-15 16:23:51 UTC 
Created attachment 678873 [details]
AVC1
Comment 2 Ruslan Sagitov 2013-01-15 16:24:10 UTC 
Created attachment 678874 [details]
AVC2
Comment 3 Daniel Walsh 2013-01-15 22:54:28 UTC 
The first access is currently allowed in F18.

#============= staff_gkeyringd_t ==============
#!!!! This avc is allowed in the current policy

allow staff_gkeyringd_t data_home_t:dir read;

The second access is actually a leak, and should not be causing gpg any problems.

I will allow it in F19.  

Miroslav can you back port.
Comment 4 Miroslav Grepl 2013-01-17 11:53:00 UTC 
Backported.

commit d2139d5b7f5eb98918a9d7779b911a08803edce6
Author: Miroslav Grepl <mgrepl>
Date:   Thu Jan 17 12:49:44 2013 +0100

    Allow gpg_t to manage all gnome files
Comment 5 Fedora Update System 2013-02-04 22:05:10 UTC 
selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17
Comment 6 Fedora Update System 2013-02-05 17:03:16 UTC 
Package selinux-policy-3.10.0-167.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-02-12 05:09:44 UTC 
selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.