search

pulp / pulpcore-selinux

A Pulp 3 SELinux policy
https://pulpproject.org
GNU General Public License v2.0
3 stars 14 forks source link

SELinux is preventing /usr/bin/gpg from execute,read,open,unlink access on the file /usr/bin/gpg-agent #64

Open tjmullicani opened 1 year ago

tjmullicani commented 1 year ago 
SELinux is preventing /usr/bin/gpg from execute access on the file /usr/bin/gpg-agent.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gpg should be allowed execute access on the gpg-agent file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp

Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                system_u:object_r:gpg_agent_exec_t:s0
Target Objects                /usr/bin/gpg-agent [ file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      513a528e-1e65-4877-a4e2-c782cdefc356

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5013): avc:  denied  { execute } for  pid=99104 comm="gpg" name="gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1669184895.202:5013): arch=x86_64 syscall=access success=yes exit=0 a0=562da7a10ec0 a1=1 a2=0 a3=2000000 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: gpg,pulpcore_t,gpg_agent_exec_t,file,execute

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/gpg-agent from 'read, open' accesses on the file /usr/bin/gpg-agent.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gpg-agent should be allowed read open access on the gpg-agent file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg-agent' --raw | audit2allow -M my-gpgagent
# semodule -X 300 -i my-gpgagent.pp

Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                system_u:object_r:gpg_agent_exec_t:s0
Target Objects                /usr/bin/gpg-agent [ file ]
Source                        gpg-agent
Source Path                   /usr/bin/gpg-agent
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      a07ed74a-e23c-479a-a1fe-7c535fa0e92c

Raw Audit Messages
type=AVC msg=audit(1669184895.212:5014): avc:  denied  { read open } for  pid=99106 comm="gpg" path="/usr/bin/gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1

type=AVC msg=audit(1669184895.212:5014): avc:  denied  { execute_no_trans } for  pid=99106 comm="gpg" path="/usr/bin/gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1

type=AVC msg=audit(1669184895.212:5014): avc:  denied  { map } for  pid=99106 comm="gpg-agent" path="/usr/bin/gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1669184895.212:5014): arch=x86_64 syscall=execve success=yes exit=0 a0=562da7a10ec0 a1=562da7a10f00 a2=7ffe043a02d8 a3=7f4a509269a0 items=1 ppid=1 pid=99106 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg-agent exe=/usr/bin/gpg-agent subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

type=CWD msg=audit(1669184895.212:5014): cwd=/

type=PATH msg=audit(1669184895.212:5014): item=0 name=/lib64/ld-linux-x86-64.so.2 inode=100673495 dev=103:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root

Hash: gpg-agent,pulpcore_t,gpg_agent_exec_t,file,read,open
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/gpg-agent from unlink access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gpg-agent should be allowed unlink access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg-agent' --raw | audit2allow -M my-gpgagent
# semodule -X 300 -i my-gpgagent.pp

Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source                        gpg-agent
Source Path                   /usr/bin/gpg-agent
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      2f3bda6b-868c-4e22-b9cf-da2ff9708113

Raw Audit Messages
type=AVC msg=audit(1669184895.219:5016): avc:  denied  { unlink } for  pid=99106 comm="gpg-agent" name="S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1

type=SYSCALL msg=audit(1669184895.219:5016): arch=x86_64 syscall=unlink success=yes exit=0 a0=561a08847f72 a1=0 a2=10830 a3=4000000 items=0 ppid=1 pid=99106 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg-agent exe=/usr/bin/gpg-agent subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=unlink AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: gpg-agent,pulpcore_t,var_lib_t,sock_file,unlink
tjmullicani commented 1 year ago

When creating a publication using pulp rpm publication create, I get the following SELinux logs. This does not appear to impact product functionality, it just fills up the logs.

[root@localhost ~]# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-gpg.pp

[root@localhost ~]# cat my-gpg.te

module my-gpg 1.0;

require {
        type gpg_agent_exec_t;
        type pulpcore_t;
        type var_lib_t;
        class file { create execute execute_no_trans getattr link map open read unlink write };
        class dir { add_name remove_name setattr write };
        class sock_file { create getattr setattr unlink write };
        class unix_stream_socket connectto;
}

#============= pulpcore_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow pulpcore_t gpg_agent_exec_t:file map;
allow pulpcore_t gpg_agent_exec_t:file { execute execute_no_trans open read };

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow pulpcore_t self:unix_stream_socket connectto;
allow pulpcore_t var_lib_t:dir { add_name remove_name setattr write };
allow pulpcore_t var_lib_t:file { create getattr link open read unlink write };
allow pulpcore_t var_lib_t:sock_file { create getattr setattr unlink write };