kgpg, execmod...

[Tom London]

running strict/enforcing, latest rawhide.

Trying to start kgpg rusults in:

[tbl at fedora mozExtensions]$ kgpg
gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied
gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied
[tbl at fedora mozExtensions]$

Here are the AVCs.  Notice the execmod denial:

Jan 15 12:15:02 fedora crond(pam_unix)[3567]: session closed for user root
Jan 15 12:19:06 fedora kernel: audit(1105820346.545:0): avc:  denied 
{ read } for  pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.033:0): avc:  denied 
{ execmod } for  pid=3597 comm=gpg path=/usr/bin/gpg dev=hda2
ino=4127070 scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.035:0): avc:  denied 
{ read } for  pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.043:0): avc:  denied 
{ execmod } for  pid=3598 comm=gpg path=/usr/bin/gpg dev=hda2
ino=4127070 scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.074:0): avc:  denied 
{ read } for  pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.143:0): avc:  denied 
{ read } for  pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file

allow user_gpg_t gpg_exec_t:file execmod;

I'm gun shy to be sprinkling these around.  Any thoughts/help?

tom

-- 
Tom London