Following http://blog.habets.pp.se/2013/02/GPG-and-SSH-with-Yubikey-NEO I tried to run this : $ gpg-agent --enable-ssh-support --daemon ssh-add -l but this generate this error message : gpg-agent[6967]: failed to run the command: Permission non accordée and 276 AVC. 271 are due to gpg-agent trying to access everything in /dev/ like this : type=AVC msg=audit(1385388831.734:1954): avc: denied { getattr } for pid=6967 comm="gpg-agent" path="/dev/tty60" dev="devtmpfs" ino=1101 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file There 5 others are : type=AVC msg=audit(1385388821.398:1745): avc: denied { execute } for pid=6460 comm="gpg-agent" name="ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1385388821.398:1746): avc: denied { execute } for pid=6460 comm="gpg-agent" name="ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1385388821.398:1747): avc: denied { signal } for pid=6460 comm="gpg-agent" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1385388831.630:1788): avc: denied { getattr } for pid=6967 comm="gpg-agent" path="/proc/kcore" dev="proc" ino=4026532032 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file type=AVC msg=audit(1385388831.647:1926): avc: denied { getattr } for pid=6967 comm="gpg-agent" path="/proc/kcore" dev="proc" ino=4026532032 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file Setenforce 0 make the command work fine.
8e6715385c9afc423b85024f9cd888051fc7852d fixes this in git. With setenforce 0, did you get any additional AVC messages?
With setenforce 0, I have far less messages : type=AVC msg=audit(1385393008.650:2649): avc: denied { execute } for pid=13266 comm="gpg-agent" name="ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1385393008.650:2649): avc: denied { execute_no_trans } for pid=13266 comm="gpg-agent" path="/usr/bin/ssh-add" dev="dm-2" ino=1185779 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1385393008.657:2650): avc: denied { read } for pid=13266 comm="ssh-add" name="openssl.cnf" dev="dm-2" ino=2229487 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file type=AVC msg=audit(1385393008.657:2650): avc: denied { open } for pid=13266 comm="ssh-add" path="/etc/pki/tls/openssl.cnf" dev="dm-2" ino=2229487 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file type=AVC msg=audit(1385393008.657:2651): avc: denied { getattr } for pid=13266 comm="ssh-add" path="/etc/pki/tls/openssl.cnf" dev="dm-2" ino=2229487 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file I guess that's because it is not allowed to change the domain in the first place ?
b49f963506f6e60e351123991eb3bfc8658c8baf also needed then
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.