search

pulp / pulpcore-selinux

A Pulp 3 SELinux policy
https://pulpproject.org
GNU General Public License v2.0
3 stars 14 forks source link

SELinux is preventing /usr/bin/gpg from write access on the file /var/lib/pulp/.gnupg/pubring.kbx #61

Open tjmullicani opened 1 year ago

tjmullicani commented 1 year ago 
SELinux is preventing /usr/bin/gpg from write access on the file /var/lib/pulp/.gnupg/pubring.kbx.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gpg to have write access on the pubring.kbx file
Then you need to change the label on /var/lib/pulp/.gnupg/pubring.kbx
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/pulp/.gnupg/pubring.kbx'
where FILE_TYPE is one of the following: afs_cache_t, httpd_sys_rw_content_t, initrc_tmp_t, pulpcore_server_tmpfs_t, pulpcore_server_var_lib_t, pulpcore_tmp_t, pulpcore_var_lib_t, pulpcore_var_run_t, puppet_tmp_t, user_cron_spool_t.
Then execute:
restorecon -v '/var/lib/pulp/.gnupg/pubring.kbx'

*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gpg should be allowed write access on the pubring.kbx file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp

Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/pulp/.gnupg/pubring.kbx [ file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      9b33163d-bb4a-4eec-9c05-9353cf89e317

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5006): avc:  denied  { write } for  pid=99104 comm="gpg" name="pubring.kbx" dev="nvme0n1p3" ino=33573614 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1669184895.202:5006): arch=x86_64 syscall=access success=yes exit=0 a0=562da7a10940 a1=2 a2=0 a3=0 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: gpg,pulpcore_t,var_lib_t,file,write
tjmullicani commented 1 year ago

audit2allow comments https://github.com/pulp/pulpcore-selinux/issues/64#issuecomment-1325348660