Bug 523602 - setroubleshoot: SELinux is preventing the /usr/bin/gpg from using potentially mislabeled files (.spamassassin12190tHoh5stmp).
Summary: setroubleshoot: SELinux is preventing the /usr/bin/gpg from using potent...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ffc261c496c...
Depends On:
Blocks: F12Target
TreeView+ depends on / blocked
 
Reported: 2009-09-16 05:50 UTC by Nicolas Mailhot
Modified: 2009-09-16 12:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-16 12:47:09 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nicolas Mailhot 2009-09-16 05:50:07 UTC 
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing the /usr/bin/gpg from using potentially mislabeled files
(.spamassassin12190tHoh5stmp).

Description détaillée:

SELinux has denied gpg access to potentially mislabeled file(s)
(.spamassassin12190tHoh5stmp). This means that SELinux will not allow gpg to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Autoriser l'accès:

If you want gpg to access this files, you need to relabel them using restorecon
-v '.spamassassin12190tHoh5stmp'. You might want to relabel the entire directory
using restorecon -R -v ''.

Informations complémentaires:

Contexte source               system_u:system_r:gpg_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:system_cronjob_tmp_t:s0
Objets du contexte            .spamassassin12190tHoh5stmp [ file ]
source                        gpg
Chemin de la source           /usr/bin/gpg
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         gnupg-1.4.10-1.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.31-4.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 home_tmp_bad_labels
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-14.fc12.x86_64 #1 SMP Tue
                              Sep 15 03:48:57 EDT 2009 x86_64 x86_64
Compteur d'alertes            1
Première alerte              mer. 16 sept. 2009 04:46:03 CEST
Dernière alerte              mer. 16 sept. 2009 04:46:03 CEST
ID local                      98f9c551-3673-41d8-a624-e66229119476
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1253069163.35:244): avc:  denied  { read } for  pid=12191 comm="gpg" name=".spamassassin12190tHoh5stmp" dev=dm-3 ino=102831 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cronjob_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1253069163.35:244): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbf25df45 a1=0 a2=1b6 a3=0 items=0 ppid=12190 pid=12191 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= gpg_t ==============
allow gpg_t system_cronjob_tmp_t:file read;
Comment 1 Nicolas Mailhot 2009-09-16 05:52:47 UTC 
spamassassion comes with a cron that update its rules over the network, checking their gpg signature as a safety

channel: lint check of update failed, channel failed
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
Comment 2 Daniel Walsh 2009-09-16 12:47:09 UTC 
Fixed in selinux-policy-3.6.31-6.fc12.noarch
Note You need to log in before you can comment on or make changes to this bug.