Created attachment 384929 [details] avc messages extracted from /var/log/messages Description of problem: gpg cannot read/write files (as root) in /root/.gnupg or /var when used in a script started by a cron job. I have a backup script of my own that creates some tar files in /var/backup, after which I'm using gpg to encrypt them (and then later write them to an external disk). When this backup script is run by root on the command line, everything is running fine, but when this backup script is run as a cron job as root (via /etc/cron.d), gpg cannot access any files in /root/.gnupg or /var/backup. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.32-66.fc12.noarch How reproducible: Always Steps to Reproduce: 1. make a script that uses gpg to encrypt something in /var 2. add it as cron job 3. wait for the cron job to fire Actual results: gpg gets "Permission denied" errors. Expected results: gpg should succeed in encrypting the file in /var Additional info: The test script I was using is the following: id > /tmp/testcron cd /var/backup /usr/bin/gpg -q -c --no-options --no-tty --cipher-algo AES --passphrase-file tmpfile etc.tgz and it is started in /etc/cron.d as follows (I've put it to be run every 5 minutes, to be able to test and improve...): */5 * * * * root /root/testcron When the script is run on the command line, the /tmp/testcron file contains the following id (written by the first line in the script): uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 When the script is run from the cron job, /tmp/testcron contains the following: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 The only difference is the selinux security context. I know the basics of selinux, but I wasn't able to understand why it didn't work as cron job, but by experimenting with audit2allow, I found that I could fix the problems by using the following module: module mygpg 1.0; require { type admin_home_t; type var_t; type gpg_t; class file { read lock create write getattr open }; class dir { write search add_name }; } #============= gpg_t ============== allow gpg_t admin_home_t:dir search; allow gpg_t admin_home_t:file { read lock write open }; allow gpg_t var_t:dir { write add_name }; allow gpg_t var_t:file { read write getattr open create }; Is there a reason why this is not in the selinux-policy-targeted? It's also not clear to me why this gives a problem in a cron job, since the changes I made have nothing to do with cron... As a side note, is there a tool that allows to trace selinux transitions on something that works (audit only shows problems...), to see how it is supposed to go? I'm attaching the AVC messages that I extracted from /var/log/messages to this bug report (note that some of these are only visible when dontallow is disabled).
First gpg writing to a file in /root/.gpg chcon -t gpg_secret_t /root/.gnupg Should fix I am adding /root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) If you want to examine policy you can use sesearch sesearch -A -t gpg_t -p transition Found 5 semantic av rules: allow crond_t gpg_t : process transition ; allow staff_usertype gpg_t : process { transition sigkill sigstop signull signal getattr } ; allow sysadm_usertype gpg_t : process { transition sigkill sigstop signull signal getattr } ; allow user_usertype gpg_t : process { transition sigkill sigstop signull signal getattr } ; allow system_cronjob_t gpg_t : process transition ; Which shows which domains transition to gpg_t Looks like confined users and the system_cronjob_t. Which is causing you the problems. Unconfined_t does not transition, which is why the script works when you run it normally. We could eliminate the transition from system_cronjob_t which would leave you in that domain. These are the types that gpg_t can currently write, outside of user files. sesearch -A -s gpg_t -c file -p create -C | grep -v home | grep -v user Found 7 semantic av rules: allow gpg_t etc_mail_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow gpg_t gpg_secret_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow gpg_t gpg_agent_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; I think we should remove the transition, if you want to get this to work in enforcing mode for now, you can add your local policy module or change the labels of your backup directory to gpg_agent_tmp_t.
Fixed in selinux-policy-3.6.32-74.fc12.noarch
selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1207
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
hello, I am have the same problem. I am using CentOS 6.3 64 bit. The installed version of selinux-policy is 3.7.19-155.el6_3.8.noarch. Selinux is disabled onmy server. Have someone a solution for my problem? Thanks in advance, Mitchell