Description of problem:
insights-client validates the GPG signatures of files by running `gpg`; this causes some SELinux denials:

audit: type=1400 audit(1650615650.790:4): avc: denied

{ read } for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.810:5): avc: denied { read }

for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:6): avc: denied

{ getattr }

for pid=22197 comm="gpg" path="/root/.gnupg/trustdb.gpg" dev="vda4" ino=16799856 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:7): avc: denied

{ write }

for pid=22197 comm="gpg" name=".gnupg" dev="vda4" ino=16798004 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=0

`gpg` tries to create its own homedir (~/.gnupg by default): this of course fails in case insights-client is invoked not manually, but e.g. by cockpit (from the subscription-manager plugin) or as systemd service.

Possible solutions to avoid this:

• create a temporary directory for `gpg`, and pass it with `--homedir` to all the `gpg` invocations
• use a Python library for validating signatures – python3-gpg, i.e. the Python binding of GPGME [1], seems a potential good candidate, as it is already shipped in BaseOS (even in RHEL 8)

[1] https://gnupg.org/software/gpgme/index.html

Version-Release number of selected component (if applicable):
insights-client-3.1.7-8.el9.noarch