Bug 2077777 - insight-clients tries to create /root/.gnupg
Summary: insight-clients tries to create /root/.gnupg
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: insights-client
Version: 9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: CSI Client Tools Bugs
QA Contact: Pavol Kotvan
URL:
Whiteboard:
: 2113881 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-22 08:40 UTC by Pino Toscano
Modified: 2023-06-27 11:06 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2077778 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-119657 0 None None None 2022-04-22 08:44:27 UTC

Description Pino Toscano 2022-04-22 08:40:39 UTC
Description of problem:
insights-client validates the GPG signatures of files by running `gpg`; this causes some SELinux denials:

audit: type=1400 audit(1650615650.790:4): avc:  denied  { read } for  pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.810:5): avc:  denied  { read } for  pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:6): avc:  denied  { getattr } for  pid=22197 comm="gpg" path="/root/.gnupg/trustdb.gpg" dev="vda4" ino=16799856 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:7): avc:  denied  { write } for  pid=22197 comm="gpg" name=".gnupg" dev="vda4" ino=16798004 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=0

`gpg` tries to create its own homedir (~/.gnupg by default): this of course fails in case insights-client is invoked not manually, but e.g. by cockpit (from the subscription-manager plugin) or as systemd service.

Possible solutions to avoid this:
- create a temporary directory for `gpg`, and pass it with `--homedir` to all the `gpg` invocations
- use a Python library for validating signatures -- python3-gpg, i.e. the Python binding of GPGME [1], seems a potential good candidate, as it is already shipped in BaseOS (even in RHEL 8)

[1] https://gnupg.org/software/gpgme/index.html

Version-Release number of selected component (if applicable):
insights-client-3.1.7-8.el9.noarch

Comment 3 mabezerr 2022-08-31 14:59:56 UTC
*** Bug 2113881 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.