Description of problem: Deja-dup is a small utility from GNOME, which backs up data. One of the features of Deja-dup is to encrypt data before storing it on remote location. Encryption is done via GPG (GNU Privacy Guard) with user’s private key. SELinux fires two AVCs when encrypting: 1. Preventing ssh-agent to read from .local/share/keystore (gnome-keyring, a place where a passphrase for the private key is stored) 2. Preventing gpg to write to .cache (a cache directory, which Deja-dup chose) It’s much safer to allow Deja-dup to encrypt data before storing it on remote location, you know. Version-Release number of selected component (if applicable): Fedora 17. selinux-policy-3.10.0-166.fc17.noarch selinux-policy-targeted-3.10.0-166.fc17.noarch Expected results: No AVC denials on backing up. Additional info: * Switch to staff_u:staff_r before. AVC (first): type=AVC msg=audit(1358265127.922:158): avc: denied { read } for pid=2611 comm="ssh-agent" name="keystore" dev="sda5" ino=7865252 scontext=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:data_home_t:s0 tclass=dir type=SYSCALL msg=audit(1358265127.922:158): arch=i386 syscall=openat success=yes exit=EEXIST a0=ffffff9c a1=8c39f18 a2=98800 a3=0 items=0 ppid=1 pid=2611 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=ssh-agent exe=/usr/bin/gnome-keyring-daemon subj=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 key=(null) AVC (second): type=AVC msg=audit(1358265217.730:160): avc: denied { write } for pid=2827 comm="gpg" path="/home/ruslansagitov/.cache/deja-dup/1463af8dcef0b6b3cc2eb4826bd73b82/duplicity-_K4iZu-tempdir/mktemp-i3M5JC-1" dev="sda5" ino=10617244 scontext=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:cache_home_t:s0 tclass=file type=SYSCALL msg=audit(1358265217.730:160): arch=i386 syscall=execve success=yes exit=0 a0=9bd64e0 a1=9a238b0 a2=9850810 a3=9a238e0 items=0 ppid=2726 pid=2827 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=gpg exe=/usr/bin/gpg subj=staff_u:staff_r:gpg_t:s0-s0:c0.c1023 key=(null)
Created attachment 678873 [details] AVC1
Created attachment 678874 [details] AVC2
The first access is currently allowed in F18. #============= staff_gkeyringd_t ============== #!!!! This avc is allowed in the current policy allow staff_gkeyringd_t data_home_t:dir read; The second access is actually a leak, and should not be causing gpg any problems. I will allow it in F19. Miroslav can you back port.
Backported. commit d2139d5b7f5eb98918a9d7779b911a08803edce6 Author: Miroslav Grepl <mgrepl> Date: Thu Jan 17 12:49:44 2013 +0100 Allow gpg_t to manage all gnome files
selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17
Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.