Bug 1316717 - SELinux is preventing gpg2 from 'write' accesses on the directory /root.
SELinux is preventing gpg2 from 'write' accesses on the directory /root.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
x86_64 Unspecified
high Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:5b2bb949b499f7363af9616be17...
:
: 1304008 1317061 1317295 (view as bug list)
Depends On:
Blocks: F24FinalBlocker
  Show dependency treegraph
 
Reported: 2016-03-10 16:44 EST by Giulio 'juliuxpigface'
Modified: 2016-03-23 12:55 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-179.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-23 12:55:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Giulio 'juliuxpigface' 2016-03-10 16:44:44 EST
Description of problem:
I encountered this - and ~20 of other similar problems - while Abrt was collecting info for another bug report
SELinux is preventing gpg2 from 'write' accesses on the directory /root.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gpg2 should be allowed write access on the root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gpg2 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fwupd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        gpg2
Source Path                   gpg2
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-176.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc7.git0.2.fc24.x86_64 #1
                              SMP Tue Mar 8 02:20:08 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-03-10 22:39:56 CET
Last Seen                     2016-03-10 22:39:56 CET
Local ID                      86eb7411-d5e6-40ef-bd5e-3137929dd975

Raw Audit Messages
type=AVC msg=audit(1457645996.510:339): avc:  denied  { write } for  pid=2274 comm="gpg2" name="root" dev="vda3" ino=263 scontext=system_u:system_r:fwupd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1


Hash: gpg2,fwupd_t,admin_home_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-176.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc7.git0.2.fc24.x86_64
type:           libreport
Comment 1 Fedora Blocker Bugs Application 2016-03-15 16:45:58 EDT
Proposed as a Blocker for 24-final by Fedora user juliuxpigface using the blocker tracking app because:

 I've also encountered these issues (~ 20 denials) after installing the Fedora 24 Alpha 1.1 compose.

So... The bug seems to violate the "2.4.4 SELinux and crash notifications" F24 Final Criterion.

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

Link:
https://fedoraproject.org/wiki/Fedora_24_Final_Release_Criteria#SELinux_and_crash_notifications
Comment 2 Lukas Vrabec 2016-03-16 06:20:56 EDT
*** Bug 1317295 has been marked as a duplicate of this bug. ***
Comment 3 Lukas Vrabec 2016-03-16 06:21:20 EDT
*** Bug 1317061 has been marked as a duplicate of this bug. ***
Comment 4 Lukas Vrabec 2016-03-16 06:21:44 EDT
*** Bug 1304008 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2016-03-16 09:41:12 EDT
selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 6 Fedora Update System 2016-03-18 10:58:06 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 7 Fedora Update System 2016-03-23 12:54:13 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.