#8699 avc denial for gpg-agent with systemd-run
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by abbra.

One of our tests sets up the gpg-agent with systemd-run and following avc denial is seen during this.

[root@master ~]# ausearch -c '(pg-agent)' --raw
type=AVC msg=audit(1612858362.119:3279): avc:  denied  { execute } for  pid=36606 comm="(pg-agent)" name="gpg-agent" dev="vda3" ino=25171838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1612858362.119:3279): arch=c000003e syscall=59 success=no exit=-13 a0=55c863542480 a1=55c8634443f0 a2=55c863649050 a3=7f31ae994bc0 items=0 ppid=1 pid=36606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(pg-agent)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1612858362.119:3279): proctitle="(pg-agent)"
type=AVC msg=audit(1612863124.959:3500): avc:  denied  { execute } for  pid=37433 comm="(pg-agent)" name="gpg-agent" dev="vda3" ino=25171838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1612863124.959:3500): arch=c000003e syscall=59 success=no exit=-13 a0=55c863542480 a1=55c8635008a0 a2=55c863696200 a3=7f31ae994bc0 items=0 ppid=1 pid=37433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(pg-agent)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1612863124.959:3500): proctitle="(pg-agent)"
[root@master ~]#

Version-Release number of selected component (if applicable):

[root@master ~]# rpm -q selinux-policy gnupg2
selinux-policy-3.14.3-62.el8.noarch
gnupg2-2.2.20-2.el8.x86_64
[root@master ~]# 

How reproducible:
Alaways

Steps to Reproduce:
1. Execute following step

/bin/systemd-run --service-type=forking --setenv=GNUPGHOME=/tmp/tmpraace7xx/gnupg --setenv=LC_ALL=C.UTF-8 --setenv=LANGUAGE=C --unit=gpg-agent /usr/bin/gpg-agent --daemon --batch

From IRC discussion: we can set SELinux context explicitly to system_u:system_r:initrc_t:s0:

 /bin/systemd-run --service-type=forking --property SELinuxContext=system_u:system_r:initrc_t:s0 --setenv=GNUPGHOME=/path/to/gnupg --setenv=LC_ALL=C.UTF-8 --setenv=LANGUAGE=C --unit=gpg-agent /usr/bin/gpg-agent --daemon --batch

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1926699

3 years ago

Metadata Update from @abbra:
- Issue assigned to abbra

3 years ago

master:

  • 46b0746 test_installutils: run gpg-agent under a specific SELinux context

ipa-4-9:

  • 7ca2797 test_installutils: run gpg-agent under a specific SELinux context

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata