Bug 517797 - (staff_u) SELinux is preventing gpg (gpg_t) "read" usb_device_t.
Summary: (staff_u) SELinux is preventing gpg (gpg_t) "read" usb_device_t.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 517000
TreeView+ depends on / blocked
 
Reported: 2009-08-17 08:47 UTC by Matěj Cepl
Modified: 2018-04-11 12:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-28 18:30:05 UTC


Attachments (Terms of Use)

Description Matěj Cepl 2009-08-17 08:47:40 UTC
Souhrn:

SELinux is preventing gpg (gpg_t) "read" usb_device_t.

Podrobný popis:

SELinux denied access requested by gpg. It is not expected that this access is
required by gpg and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:gpg_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:usb_device_t:s0
Objekty cíle                 001 [ chr_file ]
Zdroj                         gpg
Cesta zdroje                  /usr/bin/gpg
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          gnupg-1.4.9-5.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-77.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.29.6-217.2.6.fc11.x86_64 #1 SMP
                              Thu Aug 13 17:31:45 EDT 2009 x86_64 x86_64
Počet upozornění           23
Poprvé viděno               Po 17. srpen 2009, 09:08:05 CEST
Naposledy viděno             Po 17. srpen 2009, 10:19:00 CEST
Místní ID                   a51fbb87-346d-4ce3-bbdf-c7d663b11cb1
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250497140.166:85): avc:  denied  { read } for  pid=9103 comm="gpg" name="001" dev=tmpfs ino=3126 scontext=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

node=bradford type=SYSCALL msg=audit(1250497140.166:85): arch=c000003e syscall=2 success=no exit=-1496457256 a0=7fff44128b80 a1=0 a2=d a3=fffffffd items=0 ppid=9095 pid=9103 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="gpg" exe="/usr/bin/gpg" subj=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 key=(null)

Comment 1 Matěj Cepl 2009-08-17 08:58:11 UTC
And I have more GPG-related AVC denials:


Souhrn:

SELinux is preventing emacs (staff_t) "signull" gpg_t.

Podrobný popis:

SELinux denied access requested by emacs. It is not expected that this access is
required by emacs and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 staff_u:staff_r:gpg_t:s0-s0:c0.c1023
Objekty cíle                 None [ process ]
Zdroj                         emacs
Cesta zdroje                  /usr/bin/emacs-23.1
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          emacs-23.1-1.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-77.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.29.6-217.2.6.fc11.x86_64 #1 SMP
                              Thu Aug 13 17:31:45 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 17. srpen 2009, 09:08:05 CEST
Naposledy viděno             Po 17. srpen 2009, 09:08:05 CEST
Místní ID                   6b0b7f70-e11f-442b-a13d-a456e3f80e8b
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250492885.623:43): avc:  denied  { signull } for  pid=3165 comm="emacs" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 tclass=process

node=bradford type=SYSCALL msg=audit(1250492885.623:43): arch=c000003e syscall=62 success=no exit=-13 a0=cef a1=0 a2=7fffbc5ba950 a3=8 items=0 ppid=1 pid=3165 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="emacs" exe="/usr/bin/emacs-23.1" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)


============================================================


Souhrn:

SELinux is preventing gpg (gpg_t) "read" usb_device_t.

Podrobný popis:

SELinux denied access requested by gpg. It is not expected that this access is
required by gpg and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:gpg_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:usb_device_t:s0
Objekty cíle                 002 [ chr_file ]
Zdroj                         gpg
Cesta zdroje                  /usr/bin/gpg
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          gnupg-1.4.9-5.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-77.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.29.6-217.2.6.fc11.x86_64 #1 SMP
                              Thu Aug 13 17:31:45 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 17. srpen 2009, 09:08:05 CEST
Naposledy viděno             Po 17. srpen 2009, 09:08:05 CEST
Místní ID                   b548e87c-3113-4c79-9d05-fad058a329d3
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250492885.618:38): avc:  denied  { read } for  pid=3311 comm="gpg" name="002" dev=tmpfs ino=3339 scontext=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

node=bradford type=SYSCALL msg=audit(1250492885.618:38): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb23eac80 a1=0 a2=d a3=fffffffd items=0 ppid=3165 pid=3311 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gpg" exe="/usr/bin/gpg" subj=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 key=(null)


=======================================


Souhrn:

SELinux is preventing gpg (gpg_t) "read" usb_device_t.

Podrobný popis:

SELinux denied access requested by gpg. It is not expected that this access is
required by gpg and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:gpg_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:usb_device_t:s0
Objekty cíle                 004 [ chr_file ]
Zdroj                         gpg
Cesta zdroje                  /usr/bin/gpg
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          gnupg-1.4.9-5.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-77.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.29.6-217.2.6.fc11.x86_64 #1 SMP
                              Thu Aug 13 17:31:45 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 17. srpen 2009, 10:19:00 CEST
Naposledy viděno             Po 17. srpen 2009, 10:19:00 CEST
Místní ID                   415ec61b-8c21-4329-84af-6bcb1594979a
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250497140.165:81): avc:  denied  { read } for  pid=9103 comm="gpg" name="004" dev=tmpfs ino=133415 scontext=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

node=bradford type=SYSCALL msg=audit(1250497140.165:81): arch=c000003e syscall=2 success=no exit=-13 a0=7fff44128b80 a1=0 a2=d a3=fffffffd items=0 ppid=9095 pid=9103 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="gpg" exe="/usr/bin/gpg" subj=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 key=(null)


========================================


Souhrn:

SELinux is preventing gpg (gpg_t) "read" usb_device_t.

Podrobný popis:

SELinux denied access requested by gpg. It is not expected that this access is
required by gpg and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:gpg_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:usb_device_t:s0
Objekty cíle                 003 [ chr_file ]
Zdroj                         gpg
Cesta zdroje                  /usr/bin/gpg
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          gnupg-1.4.9-5.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-77.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.29.6-217.2.6.fc11.x86_64 #1 SMP
                              Thu Aug 13 17:31:45 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 17. srpen 2009, 09:33:53 CEST
Naposledy viděno             Po 17. srpen 2009, 09:33:53 CEST
Místní ID                   f800eafd-e7bf-4be2-b9b1-15a0f05fe57f
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250494433.619:66): avc:  denied  { read } for  pid=8476 comm="gpg" name="003" dev=tmpfs ino=109262 scontext=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

node=bradford type=SYSCALL msg=audit(1250494433.619:66): arch=c000003e syscall=2 success=no exit=-13 a0=7fffae7e7140 a1=0 a2=d a3=fffffffd items=0 ppid=8466 pid=8476 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="gpg" exe="/usr/bin/gpg" subj=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 key=(null)

Comment 2 Nalin Dahyabhai 2009-08-17 15:49:34 UTC
My guess is that this is happening when the built-in smart card support attempts to talk to the card reader devices directly.  If this is supposed to work for staff_u, then I guess we need to allow it.

Comment 3 Daniel Walsh 2009-08-18 12:59:44 UTC
Add 
	allow $2 gpg_t:process { signull sigstop signal sigkill };

to gpg.if

Add 

dev_read_generic_usb_dev(gpg_t)

to gpg.te

Comment 4 Miroslav Grepl 2009-08-20 15:10:32 UTC
Fixed in selinux-policy-3.6.12-79.fc11

Comment 6 Bug Zapper 2010-04-28 09:47:35 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.