Description of problem: Logging into a KDE session as an user_u user. SELinux is preventing gpg-agent from 'create' accesses on the file .gpg-agent-info. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If você deseja allow gpg to agent env file Then você deve informar o SELinux sobre isso habilitando o booleano 'gpg_agent_env_file'. Você pode ler a man page 'None' para mais detalhes. Do setsebool -P gpg_agent_env_file 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If você acredita que o gpg-agent deva ser permitido acesso de create em .gpg-agent-info file por default. Then você precisa reportar este como um erro. Você pode gerar um módulo de política local para permitir este acesso. Do permitir este acesso agora executando: # grep gpg-agent /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context user_u:user_r:gpg_agent_t:s0 Target Context user_u:object_r:user_tmp_t:s0 Target Objects .gpg-agent-info [ file ] Source gpg-agent Source Path gpg-agent Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-12-22 19:23:05 BRST Last Seen 2014-12-22 19:26:42 BRST Local ID f42c6108-69fe-479f-ade2-4a32cb9c2270 Raw Audit Messages type=AVC msg=audit(1419283602.749:575): avc: denied { create } for pid=3405 comm="gpg-agent" name=".gpg-agent-info" scontext=user_u:user_r:gpg_agent_t:s0 tcontext=user_u:object_r:user_tmp_t:s0 tclass=file permissive=0 Hash: gpg-agent,gpg_agent_t,user_tmp_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.7-300.fc21.x86_64 type: libreport Potential duplicate: bug 1139057
***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If você deseja allow gpg to agent env file Then você deve informar o SELinux sobre isso habilitando o booleano 'gpg_agent_env_file'. Você pode ler a man page 'None' para mais detalhes. Do setsebool -P gpg_agent_env_file 1
(In reply to Daniel Walsh from comment #1) > ***** Plugin catchall_boolean (89.3 confidence) suggests > ****************** > > If você deseja allow gpg to agent env file > Then você deve informar o SELinux sobre isso habilitando o booleano > 'gpg_agent_env_file'. > Você pode ler a man page 'None' para mais detalhes. > Do > setsebool -P gpg_agent_env_file 1 I didn't do anything out of the ordinary to get this setroubleshoot report; I just logged into a KDE session for a user_u user. IMHO, logging in as a user_u user shouldn't trigger any setroubleshoot warnings in the default configuration. I took a look at https://github.com/TresysTechnology/refpolicy-contrib/blob/master/gpg.te, and this boolean seems to allow full access to the user home directory. However, looking at an unconfined_u user in the same machine, gpg-agent merely wants to create /run/user/<pid>/.gpg-agent-info; the boolean has a much wider effect than would be necessary. I believe creating /run/user/<pid>/.gpg-agent-info by gpg-agent could be allowed by default, while the boolean could be left for when the user wants to create that file anywhere else. If there's a good reason why creating /run/user/<pid>/.gpg-agent-info by gpg-agent as user_u should be forbidden by default, it at least should be silent.
Yes I agree this should be allowed by default.
commit 6e1ea4e6bcc1156d8ae943d6648ca11a5e455541 Author: Lukas Vrabec <lvrabec> Date: Thu Jan 15 15:28:10 2015 +0100 Remove boolean gpg_agent_env_file
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.