Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux is preventing /usr/bin/gpg from write,getattr access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent #63

Open
tjmullicani opened this issue Nov 23, 2022 · 1 comment
Open

SELinux is preventing /usr/bin/gpg from write,getattr access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent #63

tjmullicani opened this issue Nov 23, 2022 · 1 comment

Comments

@tjmullicani
Copy link

tjmullicani commented Nov 23, 2022
edited
Loading 

SELinux is preventing /usr/bin/gpg from getattr access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gpg to have getattr access on the S.gpg-agent sock_file
Then you need to change the label on /var/lib/pulp/.gnupg/S.gpg-agent
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/pulp/.gnupg/S.gpg-agent'
where FILE_TYPE is one of the following: abrt_var_run_t, avahi_var_run_t, lsassd_var_socket_t, nmbd_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, pulpcore_var_lib_t, redis_var_run_t, setrans_var_run_t, sssd_var_lib_t, sssd_var_run_t, system_dbusd_var_run_t, winbind_var_run_t.
Then execute:
restorecon -v '/var/lib/pulp/.gnupg/S.gpg-agent'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gpg should be allowed getattr access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp


Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      80202704-a4a3-4bb5-a526-471ee1b43788

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5011): avc:  denied  { getattr } for  pid=99104 comm="gpg" path="/var/lib/pulp/.gnupg/S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1


type=SYSCALL msg=audit(1669184895.202:5011): arch=x86_64 syscall=stat success=yes exit=0 a0=562da7a10820 a1=7ffe0439efa0 a2=7ffe0439efa0 a3=7ffe0439eda1 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: gpg,pulpcore_t,var_lib_t,sock_file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/gpg from write access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gpg to have write access on the S.gpg-agent sock_file
Then you need to change the label on /var/lib/pulp/.gnupg/S.gpg-agent
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/pulp/.gnupg/S.gpg-agent'
where FILE_TYPE is one of the following: abrt_var_run_t, avahi_var_run_t, init_var_run_t, lsassd_var_socket_t, nmbd_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, pulpcore_var_lib_t, redis_var_run_t, setrans_var_run_t, sssd_var_lib_t, sssd_var_run_t, system_dbusd_var_run_t, winbind_var_run_t.
Then execute:
restorecon -v '/var/lib/pulp/.gnupg/S.gpg-agent'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gpg should be allowed write access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp


Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      cc729450-c568-451b-bbc6-d6783ed80a28

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5012): avc:  denied  { write } for  pid=99104 comm="gpg" name="S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1


type=SYSCALL msg=audit(1669184895.202:5012): arch=x86_64 syscall=connect success=no exit=ECONNREFUSED a0=4 a1=7ffe0439f0c0 a2=22 a3=7ffe0439eda1 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: gpg,pulpcore_t,var_lib_t,sock_file,write
@tjmullicani
Copy link
Author

audit2allow comments #64 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tjmullicani