-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-8.6.0
-
None
-
None
-
1
-
rhel-sst-csi-client-tools
-
None
-
False
-
-
None
-
CSI [19/Sep- 09/Oct]
-
Pass
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Cloning to RHEL 8 as it happens there too.
+++ This bug was initially created as a clone of Bug #2077777 +++
Description of problem:
insights-client validates the GPG signatures of files by running `gpg`; this causes some SELinux denials:
audit: type=1400 audit(1650615650.790:4): avc: denied
{ read } for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0audit: type=1400 audit(1650615650.810:5): avc: denied { read }
for pid=22197 comm="gpg" name="pubring.kbx" dev="vda4" ino=16798216 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:6): avc: denied
for pid=22197 comm="gpg" path="/root/.gnupg/trustdb.gpg" dev="vda4" ino=16799856 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
audit: type=1400 audit(1650615650.843:7): avc: denied
for pid=22197 comm="gpg" name=".gnupg" dev="vda4" ino=16798004 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir permissive=0
`gpg` tries to create its own homedir (~/.gnupg by default): this of course fails in case insights-client is invoked not manually, but e.g. by cockpit (from the subscription-manager plugin) or as systemd service.
Possible solutions to avoid this:
- create a temporary directory for `gpg`, and pass it with `--homedir` to all the `gpg` invocations
- use a Python library for validating signatures – python3-gpg, i.e. the Python binding of GPGME [1], seems a potential good candidate, as it is already shipped in BaseOS (even in RHEL 8)
- external trackers
