You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SELinux is preventing /usr/bin/gpg from execute access on the file /usr/bin/gpg-agent.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gpg should be allowed execute access on the gpg-agent file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg' --raw | audit2allow -M my-gpg# semodule -X 300 -i my-gpg.pp
Additional Information:
Source Context system_u:system_r:pulpcore_t:s0
Target Context system_u:object_r:gpg_agent_exec_t:s0
Target Objects /usr/bin/gpg-agent [ file ]
Source gpg
Source Path /usr/bin/gpg
Port <Unknown>
Host <Unknown>
Source RPM Packages gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages gnupg2-2.2.20-3.el8_6.x86_64
SELinux Policy RPM selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
20:13:27 UTC 2022 x86_64 x86_64
Alert Count 1
First Seen 2022-11-23 06:28:15 UTC
Last Seen 2022-11-23 06:28:15 UTC
Local ID 513a528e-1e65-4877-a4e2-c782cdefc356
Raw Audit Messages
type=AVC msg=audit(1669184895.202:5013): avc: denied { execute } for pid=99104 comm="gpg" name="gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1669184895.202:5013): arch=x86_64 syscall=access success=yes exit=0 a0=562da7a10ec0 a1=1 a2=0 a3=2000000 items=0 ppid=99103 pid=99104 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp
Hash: gpg,pulpcore_t,gpg_agent_exec_t,file,execute
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/gpg-agent from 'read, open' accesses on the file /usr/bin/gpg-agent.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gpg-agent should be allowed read open access on the gpg-agent file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg-agent' --raw | audit2allow -M my-gpgagent# semodule -X 300 -i my-gpgagent.pp
Additional Information:
Source Context system_u:system_r:pulpcore_t:s0
Target Context system_u:object_r:gpg_agent_exec_t:s0
Target Objects /usr/bin/gpg-agent [ file ]
Source gpg-agent
Source Path /usr/bin/gpg-agent
Port <Unknown>
Host <Unknown>
Source RPM Packages gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages gnupg2-2.2.20-3.el8_6.x86_64
SELinux Policy RPM selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
20:13:27 UTC 2022 x86_64 x86_64
Alert Count 1
First Seen 2022-11-23 06:28:15 UTC
Last Seen 2022-11-23 06:28:15 UTC
Local ID a07ed74a-e23c-479a-a1fe-7c535fa0e92c
Raw Audit Messages
type=AVC msg=audit(1669184895.212:5014): avc: denied { read open } for pid=99106 comm="gpg" path="/usr/bin/gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1669184895.212:5014): avc: denied { execute_no_trans } for pid=99106 comm="gpg" path="/usr/bin/gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1669184895.212:5014): avc: denied { map } for pid=99106 comm="gpg-agent" path="/usr/bin/gpg-agent" dev="nvme0n1p3" ino=67735627 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1669184895.212:5014): arch=x86_64 syscall=execve success=yes exit=0 a0=562da7a10ec0 a1=562da7a10f00 a2=7ffe043a02d8 a3=7f4a509269a0 items=1 ppid=1 pid=99106 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg-agent exe=/usr/bin/gpg-agent subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp
type=CWD msg=audit(1669184895.212:5014): cwd=/
type=PATH msg=audit(1669184895.212:5014): item=0 name=/lib64/ld-linux-x86-64.so.2 inode=100673495 dev=103:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root
Hash: gpg-agent,pulpcore_t,gpg_agent_exec_t,file,read,open
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/gpg-agent from unlink access on the sock_file /var/lib/pulp/.gnupg/S.gpg-agent.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gpg-agent should be allowed unlink access on the S.gpg-agent sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gpg-agent' --raw | audit2allow -M my-gpgagent# semodule -X 300 -i my-gpgagent.pp
Additional Information:
Source Context system_u:system_r:pulpcore_t:s0
Target Context unconfined_u:object_r:var_lib_t:s0
Target Objects /var/lib/pulp/.gnupg/S.gpg-agent [ sock_file ]
Source gpg-agent
Source Path /usr/bin/gpg-agent
Port <Unknown>
Host <Unknown>
Source RPM Packages gnupg2-2.2.20-3.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
20:13:27 UTC 2022 x86_64 x86_64
Alert Count 1
First Seen 2022-11-23 06:28:15 UTC
Last Seen 2022-11-23 06:28:15 UTC
Local ID 2f3bda6b-868c-4e22-b9cf-da2ff9708113
Raw Audit Messages
type=AVC msg=audit(1669184895.219:5016): avc: denied { unlink } for pid=99106 comm="gpg-agent" name="S.gpg-agent" dev="nvme0n1p3" ino=33913902 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=sock_file permissive=1
type=SYSCALL msg=audit(1669184895.219:5016): arch=x86_64 syscall=unlink success=yes exit=0 a0=561a08847f72 a1=0 a2=10830 a3=4000000 items=0 ppid=1 pid=99106 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=gpg-agent exe=/usr/bin/gpg-agent subj=system_u:system_r:pulpcore_t:s0 key=(null)ARCH=x86_64 SYSCALL=unlink AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp
Hash: gpg-agent,pulpcore_t,var_lib_t,sock_file,unlink
The text was updated successfully, but these errors were encountered:
When creating a publication using pulp rpm publication create, I get the following SELinux logs. This does not appear to impact product functionality, it just fills up the logs.
[root@localhost ~]# ausearch -c 'gpg' --raw | audit2allow -M my-gpg******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-gpg.pp
[root@localhost ~]# cat my-gpg.te
module my-gpg 1.0;
require {
type gpg_agent_exec_t;type pulpcore_t;type var_lib_t;
class file { create execute execute_no_trans getattr link map open read unlink write };
class dir { add_name remove_name setattr write };
class sock_file { create getattr setattr unlink write };
class unix_stream_socket connectto;
}
#============= pulpcore_t ==============#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow pulpcore_t gpg_agent_exec_t:file map;
allow pulpcore_t gpg_agent_exec_t:file { execute execute_no_trans open read };#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow pulpcore_t self:unix_stream_socket connectto;
allow pulpcore_t var_lib_t:dir { add_name remove_name setattr write };
allow pulpcore_t var_lib_t:file { create getattr link open read unlink write };
allow pulpcore_t var_lib_t:sock_file { create getattr setattr unlink write };
The text was updated successfully, but these errors were encountered: