Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux is preventing /usr/bin/gpg from read/write access on the directory labeled var_lib_t #62

Open
tjmullicani opened this issue Nov 23, 2022 · 1 comment
Open

SELinux is preventing /usr/bin/gpg from read/write access on the directory labeled var_lib_t #62

tjmullicani opened this issue Nov 23, 2022 · 1 comment

Comments

@tjmullicani
Copy link

tjmullicani commented Nov 23, 2022
edited 

SELinux is preventing /usr/bin/gpg from write access on the directory labeled var_lib_t.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gpg to have write access on the (null) directory
Then you need to change the label on (null)
Do
# semanage fcontext -a -t FILE_TYPE '(null)'
where FILE_TYPE is one of the following: httpd_sys_rw_content_t, pulpcore_server_tmpfs_t, pulpcore_server_var_lib_t, pulpcore_tmp_t, pulpcore_var_lib_t, pulpcore_var_run_t, tmp_t, tmpfs_t, var_run_t.
Then execute:
restorecon -v '(null)'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gpg should be allowed write access on directory labeled var_lib_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp


Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                (null) [ dir ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      fb082fb6-3554-49a3-aaf0-8796955858e5

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5007): avc:  denied  { write } for  pid=99104 comm="gpg" name=".gnupg" dev="nvme0n1p3" ino=33573574 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=1


type=AVC msg=audit(1669184895.202:5007): avc:  denied  { add_name } for  pid=99104 comm="gpg" name=".#lk0x0000562da7a10970.localhost.localdomain.99104" scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=1


type=AVC msg=audit(1669184895.202:5007): avc:  denied  { create } for  pid=99104 comm="gpg" name=".#lk0x0000562da7a10970.localhost.localdomain.99104" scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=AVC msg=audit(1669184895.202:5007): avc:  denied  { write open } for  pid=99104 comm="gpg" path="/var/lib/pulp/.gnupg/.#lk0x0000562da7a10970.localhost.localdomain.99104" dev="nvme0n1p3" ino=33573615 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1669184895.202:5007): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffff9c a1=562da7a109b0 a2=c1 a3=1a4 items=4 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

type=CWD msg=audit(1669184895.202:5007): cwd=/var/lib/pulp/tmp/97489@localhost.localdomain/tmp0a9n5fbi

type=PATH msg=audit(1669184895.202:5007): item=0 name=(null) inode=33573574 dev=103:03 mode=040700 ouid=991 ogid=987 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=pulp OGID=pulp

type=PATH msg=audit(1669184895.202:5007): item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1669184895.202:5007): item=2 name=(null) inode=33573574 dev=103:03 mode=040700 ouid=991 ogid=987 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=pulp OGID=pulp

type=PATH msg=audit(1669184895.202:5007): item=3 name=(null) inode=33573615 dev=103:03 mode=0100644 ouid=991 ogid=987 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=pulp OGID=pulp

Hash: gpg,pulpcore_t,var_lib_t,dir,write
SELinux is preventing /usr/bin/gpg from read access on the file labeled var_lib_t.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gpg to have read access on the (null) file
Then you need to change the label on (null)
Do
# semanage fcontext -a -t FILE_TYPE '(null)'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auditd_tmp_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, certmonger_tmp_t, chrome_sandbox_tmp_t, chronyd_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, cockpit_tmp_t, cockpit_tmpfs_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dnsmasq_tmp_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fprintd_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, gpg_agent_tmp_t, gpg_agent_tmpfs_t, gpg_exec_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gssd_tmp_t, hostname_etc_t, hsqldb_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_sys_rw_content_t, httpd_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, insights_client_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, jetty_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keepalived_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmod_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nfsd_tmp_t, nova_tmp_t, nsd_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, opendnssec_tmp_t, openshift_app_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, oracleasm_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, piranha_web_tmp_t, pkcs11_modules_conf_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, proc_xen_t, procmail_tmp_t, prosody_tmp_t, psad_tmp_t, pulpcore_etc_t, pulpcore_exec_t, pulpcore_server_tmp_t, pulpcore_server_tmpfs_t, pulpcore_server_var_lib_t, pulpcore_tmp_t, pulpcore_var_lib_t, pulpcore_var_run_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, rabbitmq_tmp_t, racoon_tmp_t, realmd_tmp_t, redis_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, rhsmcertd_tmpfs_t, ricci_tmp_t, rlogind_tmp_t, rolekit_tmp_t, rpcbind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rrdcached_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sbd_tmpfs_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_fixit_tmp_t, setroubleshoot_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech_dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stapserver_tmpfs_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_map_t, system_munin_plugin_tmp_t, systemd_importd_tmp_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_lib_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t.
Then execute:
restorecon -v '(null)'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that gpg should be allowed read access on file labeled var_lib_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg
# semodule -X 300 -i my-gpg.pp


Additional Information:
Source Context                system_u:system_r:pulpcore_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                (null) [ file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-11-23 06:28:15 UTC
Last Seen                     2022-11-23 06:28:15 UTC
Local ID                      89b9d7a7-35a3-41dd-9c78-fea71984b3c0

Raw Audit Messages
type=AVC msg=audit(1669184895.202:5009): avc:  denied  { read } for  pid=99104 comm="gpg" name=".#lk0x0000562da7a10970.localhost.localdomain.99104" dev="nvme0n1p3" ino=33573615 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=AVC msg=audit(1669184895.202:5009): avc:  denied  { link } for  pid=99104 comm="gpg" name=".#lk0x0000562da7a10970.localhost.localdomain.99104" dev="nvme0n1p3" ino=33573615 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1669184895.202:5009): arch=x86_64 syscall=link success=yes exit=0 a0=562da7a109b0 a1=562da7a10a20 a2=17 a3=0 items=4 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=link AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

type=CWD msg=audit(1669184895.202:5009): cwd=/var/lib/pulp/tmp/97489@localhost.localdomain/tmp0a9n5fbi

type=PATH msg=audit(1669184895.202:5009): item=0 name=(null) inode=33573574 dev=103:03 mode=040700 ouid=991 ogid=987 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=pulp OGID=pulp

type=PATH msg=audit(1669184895.202:5009): item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1669184895.202:5009): item=2 name=(null) inode=33573574 dev=103:03 mode=040700 ouid=991 ogid=987 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=pulp OGID=pulp

type=PATH msg=audit(1669184895.202:5009): item=3 name=(null) inode=33573615 dev=103:03 mode=0100644 ouid=991 ogid=987 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=pulp OGID=pulp

Hash: gpg,pulpcore_t,var_lib_t,file,read
@tjmullicani tjmullicani changed the title SELinux is preventing /usr/bin/gpg from write access on the directory labeled var_lib_t SELinux is preventing /usr/bin/gpg from read/write access on the directory labeled var_lib_t Nov 23, 2022
@tjmullicani
Copy link
Author

audit2allow comments #64 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tjmullicani