2077777 – insight-clients tries to create /root/.gnupg

Bug 2077777 - insight-clients tries to create /root/.gnupg

Summary: insight-clients tries to create /root/.gnupg

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	insights-client
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	CSI Client Tools Bugs
QA Contact:	Pavol Kotvan
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2113881 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-22 08:40 UTC by Pino Toscano
Modified:	2023-06-27 11:06 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2077778 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-119657	0	None	None	None	2022-04-22 08:44:27 UTC

Description Pino Toscano 2022-04-22 08:40:39 UTC

Description of problem:
insights-client validates the GPG signatures of files by running `gpg`; this causes some SELinux denials:

audit: type=1400 audit(1650615650.790:4): avc:  denied  { read } for  pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.810:5): avc:  denied  { read } for  pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:6): avc:  denied  { getattr } for  pid=22197 comm="gpg" path="/root/.gnupg/trustdb.gpg" dev="vda4" ino=16799856 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:7): avc:  denied  { write } for  pid=22197 comm="gpg" name=".gnupg" dev="vda4" ino=16798004 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=0

`gpg` tries to create its own homedir (~/.gnupg by default): this of course fails in case insights-client is invoked not manually, but e.g. by cockpit (from the subscription-manager plugin) or as systemd service.

Possible solutions to avoid this:
- create a temporary directory for `gpg`, and pass it with `--homedir` to all the `gpg` invocations
- use a Python library for validating signatures -- python3-gpg, i.e. the Python binding of GPGME [1], seems a potential good candidate, as it is already shipped in BaseOS (even in RHEL 8)

[1] https://gnupg.org/software/gpgme/index.html

Version-Release number of selected component (if applicable):
insights-client-3.1.7-8.el9.noarch

Comment 3 mabezerr 2022-08-31 14:59:56 UTC

*** Bug 2113881 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.