SELinux is preventing /usr/bin/gpg from write,getattr access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent
Opened this issue · 1 comments
tjmullicani commented
SELinux is preventing /usr/bin/gpg from getattr access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow gpg to have getattr access on the S.gpg-agent sock_file
Then you need to change the label on /var/lib/pulp/.gnupg/S.gpg-agent
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/pulp/.gnupg/S.gpg-agent'
where FILE_TYPE is one of the following: abrt_var_run_t, avahi_var_run_t, lsassd_var_socket_t, nmbd_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, pulpcore_var_lib_t, redis_var_run_t, setrans_var_run_t, sssd_var_lib_t, sssd_var_run_t, system_dbusd_var_run_t, winbind_var_run_t.
Then execute:
restorecon -v '/var/lib/pulp/.gnupg/S.gpg-agent'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that gpg should be allowed getattr access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp
Additional Information:
Source Context system_u:system_r:pulpcore_t:s0
Target Context unconfined_u:object_r:var_lib_t:s0
Target Objects /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source gpg
Source Path /usr/bin/gpg
Port <Unknown>
Host <Unknown>
Source RPM Packages gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
20:13:27 UTC 2022 x86_64 x86_64
Alert Count 1
First Seen 2022-11-23 06:28:15 UTC
Last Seen 2022-11-23 06:28:15 UTC
Local ID 80202704-a4a3-4bb5-a526-471ee1b43788
Raw Audit Messages
type=AVC msg=audit(1669184895.202:5011): avc: denied { getattr } for pid=99104 comm="gpg" path="/var/lib/pulp/.gnupg/S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1
type=SYSCALL msg=audit(1669184895.202:5011): arch=x86_64 syscall=stat success=yes exit=0 a0=562da7a10820 a1=7ffe0439efa0 a2=7ffe0439efa0 a3=7ffe0439eda1 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp
Hash: gpg,pulpcore_t,var_lib_t,sock_file,getattr
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/gpg from write access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow gpg to have write access on the S.gpg-agent sock_file
Then you need to change the label on /var/lib/pulp/.gnupg/S.gpg-agent
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/pulp/.gnupg/S.gpg-agent'
where FILE_TYPE is one of the following: abrt_var_run_t, avahi_var_run_t, init_var_run_t, lsassd_var_socket_t, nmbd_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, pulpcore_var_lib_t, redis_var_run_t, setrans_var_run_t, sssd_var_lib_t, sssd_var_run_t, system_dbusd_var_run_t, winbind_var_run_t.
Then execute:
restorecon -v '/var/lib/pulp/.gnupg/S.gpg-agent'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that gpg should be allowed write access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp
Additional Information:
Source Context system_u:system_r:pulpcore_t:s0
Target Context unconfined_u:object_r:var_lib_t:s0
Target Objects /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source gpg
Source Path /usr/bin/gpg
Port <Unknown>
Host <Unknown>
Source RPM Packages gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
20:13:27 UTC 2022 x86_64 x86_64
Alert Count 1
First Seen 2022-11-23 06:28:15 UTC
Last Seen 2022-11-23 06:28:15 UTC
Local ID cc729450-c568-451b-bbc6-d6783ed80a28
Raw Audit Messages
type=AVC msg=audit(1669184895.202:5012): avc: denied { write } for pid=99104 comm="gpg" name="S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1
type=SYSCALL msg=audit(1669184895.202:5012): arch=x86_64 syscall=connect success=no exit=ECONNREFUSED a0=4 a1=7ffe0439f0c0 a2=22 a3=7ffe0439eda1 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp
Hash: gpg,pulpcore_t,var_lib_t,sock_file,writetjmullicani commented
audit2allow comments #64 (comment)