[DSE-Dev] Bug#776522: selinux-policy-default: unconfined_t can't use/upgrade gpg-agent

Devin Carraway devin at debian.org
Wed Jan 28 23:04:21 UTC 2015 

Package: selinux-policy-default
Version: 2:2.20140421-7
Severity: normal

unconfined_t doesn't seem able to touch gpg_agent_exec_t; this blocks its use,
but also prevents dpkg from upgrading gnupg-agent, and thus blocks installation
of gnupg2:

root at atlantic:/etc/selinux/local# id -Z
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh

type=AVC msg=audit(1422486167.297:275972): avc:  denied  { getattr } for  pid=13829 comm="ls" path="/usr/bin/gpg-agent" dev="sda5" ino=6809304 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=0


root at atlantic:/etc/selinux/local# sesearch -A --allow -t gpg_agent_exec_t
Found 5 semantic av rules:
   allow sysadm_ssh_agent_t gpg_agent_exec_t : file { read getattr execute open } ; 
   allow secadm_ssh_agent_t gpg_agent_exec_t : file { read getattr execute open } ; 
   allow auditadm_ssh_agent_t gpg_agent_exec_t : file { read getattr execute open } ; 
   allow staff_ssh_agent_t gpg_agent_exec_t : file { read getattr execute open } ; 
   allow user_ssh_agent_t gpg_agent_exec_t : file { read getattr execute open } ; 

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1      2.3-2
ii  libsepol1        2.3-2
ii  policycoreutils  2.3-1
ii  python           2.7.8-2
ii  selinux-utils    2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- debconf-show failed

More information about the SELinux-devel mailing list