search

pulp / pulpcore-selinux

A Pulp 3 SELinux policy
https://pulpproject.org
GNU General Public License v2.0
3 stars 14 forks source link

SELinux is preventing /usr/bin/gpg from write,getattr access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent #63

Open tjmullicani opened 1 year ago

tjmullicani commented 1 year ago 
SELinux is preventing /usr/bin/gpg from getattr access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gpg to have getattr access on the S.gpg-agent sock_file
Then you need to change the label on /var/lib/pulp/.gnupg/S.gpg-agent
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/pulp/.gnupg/S.gpg-agent'
where FILE_TYPE is one of the following: abrt_var_run_t, avahi_var_run_t, lsassd_var_socket_t, nmbd_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, pulpcore_var_lib_t, redis_var_run_t, setrans_var_run_t, sssd_var_lib_t, sssd_var_run_t, system_dbusd_var_run_t, winbind_var_run_t.
Then execute:
restorecon -v '/var/lib/pulp/.gnupg/S.gpg-agent'

*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gpg should be allowed getattr access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp

Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      80202704-a4a3-4bb5-a526-471ee1b43788

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5011): avc:  denied  { getattr } for  pid=99104 comm="gpg" path="/var/lib/pulp/.gnupg/S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1

type=SYSCALL msg=audit(1669184895.202:5011): arch=x86_64 syscall=stat success=yes exit=0 a0=562da7a10820 a1=7ffe0439efa0 a2=7ffe0439efa0 a3=7ffe0439eda1 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: gpg,pulpcore_t,var_lib_t,sock_file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/gpg from write access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gpg to have write access on the S.gpg-agent sock_file
Then you need to change the label on /var/lib/pulp/.gnupg/S.gpg-agent
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/pulp/.gnupg/S.gpg-agent'
where FILE_TYPE is one of the following: abrt_var_run_t, avahi_var_run_t, init_var_run_t, lsassd_var_socket_t, nmbd_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, postgresql_tmp_t, postgresql_var_run_t, pulpcore_var_lib_t, redis_var_run_t, setrans_var_run_t, sssd_var_lib_t, sssd_var_run_t, system_dbusd_var_run_t, winbind_var_run_t.
Then execute:
restorecon -v '/var/lib/pulp/.gnupg/S.gpg-agent'

*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gpg should be allowed write access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp

Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      cc729450-c568-451b-bbc6-d6783ed80a28

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5012): avc:  denied  { write } for  pid=99104 comm="gpg" name="S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1

type=SYSCALL msg=audit(1669184895.202:5012): arch=x86_64 syscall=connect success=no exit=ECONNREFUSED a0=4 a1=7ffe0439f0c0 a2=22 a3=7ffe0439eda1 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: gpg,pulpcore_t,var_lib_t,sock_file,write
tjmullicani commented 1 year ago

audit2allow comments https://github.com/pulp/pulpcore-selinux/issues/64#issuecomment-1325348660