Bug 523602 - setroubleshoot: SELinux is preventing the /usr/bin/gpg from using potentially mislabeled files (.spamassassin12190tHoh5stmp).
setroubleshoot: SELinux is preventing the /usr/bin/gpg from using potent...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:ffc261c496c...
:
Depends On:
Blocks: F12Target
  Show dependency treegraph
 
Reported: 2009-09-16 01:50 EDT by Nicolas Mailhot
Modified: 2009-09-16 08:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-16 08:47:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2009-09-16 01:50:07 EDT
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing the /usr/bin/gpg from using potentially mislabeled files
(.spamassassin12190tHoh5stmp).

Description détaillée:

SELinux has denied gpg access to potentially mislabeled file(s)
(.spamassassin12190tHoh5stmp). This means that SELinux will not allow gpg to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Autoriser l'accès:

If you want gpg to access this files, you need to relabel them using restorecon
-v '.spamassassin12190tHoh5stmp'. You might want to relabel the entire directory
using restorecon -R -v ''.

Informations complémentaires:

Contexte source               system_u:system_r:gpg_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:system_cronjob_tmp_t:s0
Objets du contexte            .spamassassin12190tHoh5stmp [ file ]
source                        gpg
Chemin de la source           /usr/bin/gpg
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         gnupg-1.4.10-1.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.31-4.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 home_tmp_bad_labels
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-14.fc12.x86_64 #1 SMP Tue
                              Sep 15 03:48:57 EDT 2009 x86_64 x86_64
Compteur d'alertes            1
Première alerte              mer. 16 sept. 2009 04:46:03 CEST
Dernière alerte              mer. 16 sept. 2009 04:46:03 CEST
ID local                      98f9c551-3673-41d8-a624-e66229119476
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1253069163.35:244): avc:  denied  { read } for  pid=12191 comm="gpg" name=".spamassassin12190tHoh5stmp" dev=dm-3 ino=102831 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cronjob_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1253069163.35:244): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbf25df45 a1=0 a2=1b6 a3=0 items=0 ppid=12190 pid=12191 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= gpg_t ==============
allow gpg_t system_cronjob_tmp_t:file read;
Comment 1 Nicolas Mailhot 2009-09-16 01:52:47 EDT
spamassassion comes with a cron that update its rules over the network, checking their gpg signature as a safety

channel: lint check of update failed, channel failed
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
Comment 2 Daniel Walsh 2009-09-16 08:47:09 EDT
Fixed in selinux-policy-3.6.31-6.fc12.noarch

Note You need to log in before you can comment on or make changes to this bug.