Bug 903883 - gpg-agent wants read/open access to /proc/sys/crypto/fips_enabled
Summary: gpg-agent wants read/open access to /proc/sys/crypto/fips_enabled
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-25 00:49 UTC by Garrett Holmstrom
Modified: 2013-02-08 02:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-08 02:23:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Garrett Holmstrom 2013-01-25 00:49:06 UTC 
Description of problem:
gpg-agent seems to want to read /proc/sys/crypto/fips_enabled when it starts, but gpg_agent_t doesn't appear to have anything along the lines of kernel_read_system_state that would allow it to do that sort of thing.

If it matters, the user I'm logging in as has a staff_u login.


type=AVC msg=audit(1359073913.455:599): avc:  denied  { read } for  pid=5080 comm="gpg-agent" name="fips_enabled" dev="proc" ino=1742 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file

type=AVC msg=audit(1359073913.455:599): avc:  denied  { open } for  pid=5080 comm="gpg-agent" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=1742 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file

type=SYSCALL msg=audit(1359073913.455:599): arch=x86_64 syscall=open success=yes exit=EIO a0=7f57e2023d30 a1=0 a2=1b6 a3=238 items=0 ppid=5078 pid=5080 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 ses=8 tty=(none) comm=gpg-agent exe=/usr/bin/gpg-agent subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
gnupg2-2.0.19-7.fc18.x86_64
selinux-policy-3.11.1-71.fc18.noarch
Comment 1 Garrett Holmstrom 2013-01-25 00:51:10 UTC 
Oops, I missed one.  It also wants getattr:

type=AVC msg=audit(1359073913.455:600): avc:  denied  { getattr } for  pid=5080 comm="gpg-agent" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=1742 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file

type=SYSCALL msg=audit(1359073913.455:600): arch=x86_64 syscall=fstat success=yes exit=0 a0=5 a1=7fff853611e0 a2=7fff853611e0 a3=0 items=0 ppid=5078 pid=5080 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 ses=8 tty=(none) comm=gpg-agent exe=/usr/bin/gpg-agent subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)
Comment 2 Miroslav Grepl 2013-01-25 09:56:50 UTC 
Added.

commit 335c4ea1629afb521475589541583ac6d8880057
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 25 10:55:38 2013 +0100

    Allow gpg-agent to read /proc/sys/crypto/fips_enabled
Comment 3 Fedora Update System 2013-01-31 13:18:39 UTC 
selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18
Comment 4 Fedora Update System 2013-02-01 16:39:14 UTC 
Package selinux-policy-3.11.1-74.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-02-08 02:23:55 UTC 
selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.