Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662486 - dirmngr_t denied udp_socket bind and socket create if not using /run/user
Summary: dirmngr_t denied udp_socket bind and socket create if not using /run/user
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-30 17:33 UTC by dkjii
Modified: 2020-08-04 14:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
policy that fixes it (localpolicy.te,253 bytes, text/plain)
2018-07-30 17:33 UTC, dkjii 		Details
local policy fcontexts (localpolicy.fc,79 bytes, text/plain)
2018-07-30 17:34 UTC, dkjii 		Details
Remaining AVC (file_662486.txt,250 bytes, text/plain)
2018-07-30 17:34 UTC, dkjii 		Details
Original AVC (failpg.log,1.29 KB, text/plain)
2018-07-30 17:36 UTC, dkjii 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description dkjii 2018-07-30 17:33:41 UTC 
Created attachment 541808 [details]
policy that fixes it

refpol will deny dirmngr_t (gpg --recv-key) to bind udp sockets on unreserved port, which it seems to need to recv/send keys

It will also deny the creation of a dirmngr socket under the assumption that XDG_RUNTIME_DIR is present/set, which gnupg does not seem to require

See attached my local policy which fixes the issues and makes it work on non-systemd/non-consolekit systems

The attached AVC is still present but does not seem to affect functionality
Comment 1 dkjii 2018-07-30 17:34:02 UTC 
Created attachment 541810 [details]
local policy fcontexts
Comment 2 dkjii 2018-07-30 17:34:49 UTC 
Created attachment 541812 [details]
Remaining AVC
Comment 3 dkjii 2018-07-30 17:36:36 UTC 
Created attachment 541814 [details]
Original AVC
Comment 4 dkjii 2018-07-30 17:39:47 UTC 
Affected versions <=sec-policy/selinux-gpg-20180701-r1