Bug 119369 - gnupg doesn't work with SELinux enforcement turned on
gnupg doesn't work with SELinux enforcement turned on
Product: Fedora
Classification: Fedora
Component: gnupg (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Mike McLean
Depends On:
Blocks: 122683
  Show dependency treegraph
Reported: 2004-03-29 17:06 EST by Konstantin Ryabitsev
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-09 13:54:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Konstantin Ryabitsev 2004-03-29 17:06:00 EST
Description of problem:
icon@hagrid:[~]$ gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: fatal: /home/einstein/staff/icon/.gnupg: can't create directory:
Permission denied
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768
icon@hagrid:[~]$ ls -ld .gnupg
drwxrwxr-x  2 icon icon 4096 Mar 29 14:00 .gnupg/
icon@hagrid:[~]$ pwd

The following lands in /var/log/messages:

Mar 29 16:18:54 hagrid kernel: audit(1080595134.292:0): avc:  denied 
{ search } for  pid=17491 exe=/usr/bin/gpg dev= ino=2648
scontext=user_u:user_r:user_gpg_t tcontext=system_u:object_r:autofs_t

Version-Release number of selected component (if applicable):
icon@hagrid:[~]$ rpm -q gnupg

How reproducible:

Steps to Reproduce:
1. Issue any gpg command.
Actual results:
Fails with "unable to create .gnupg directory: permission denied"

Expected results:
Should function.

Additional info:
Looks like the default policy for gpg needs to be corrected.
Comment 1 Chen Nan 2004-04-02 09:02:43 EST
Similar problem here. I couldn't generate new key:
[chennan@localhost chennan]$ gpg --gen-key
gpg (GnuPG) 1.2.4; Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024)
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the
user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Foo Bar
Email address: fb@fb.org
You selected this USER-ID:
    "Foo Bar <fb@fb.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
passphrase not correctly repeated; try again.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: fatal: can't open /dev/random: Permission denied
secmem usage: 2208/2240 bytes in 6/7 blocks of pool 2240/32768
Comment 2 Daniel Walsh 2004-04-12 15:22:25 EDT
Fixed in policy-1.11.1-2
Comment 3 Daniel Walsh 2005-02-09 13:54:36 EST
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.