kgpg, execmod...
Tom London
selinux at gmail.com
Sat Jan 15 20:25:57 UTC 2005
running strict/enforcing, latest rawhide.
Trying to start kgpg rusults in:
[tbl at fedora mozExtensions]$ kgpg
gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied
gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied
[tbl at fedora mozExtensions]$
Here are the AVCs. Notice the execmod denial:
Jan 15 12:15:02 fedora crond(pam_unix)[3567]: session closed for user root
Jan 15 12:19:06 fedora kernel: audit(1105820346.545:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.033:0): avc: denied
{ execmod } for pid=3597 comm=gpg path=/usr/bin/gpg dev=hda2
ino=4127070 scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.035:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.043:0): avc: denied
{ execmod } for pid=3598 comm=gpg path=/usr/bin/gpg dev=hda2
ino=4127070 scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.074:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.143:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
allow user_gpg_t gpg_exec_t:file execmod;
I'm gun shy to be sprinkling these around. Any thoughts/help?
tom
--
Tom London
More information about the fedora-selinux-list
mailing list