PGP: Enable creating a UID directory for GnuGP agent socket in /run/gnupg/user #285
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
librepo used to precreate the directory in /run/user to make sure a GnuPG agent executed by GPGME library, one of librepo's PGP backends, places its socket there.
The UID directories there are normally created and removed by systemd (logind PAM session). librepo created them for a case when a package manager is invoked out of systemd session, before the super user logs in. E.g. by a timer job to cache repository metadata.
A problem was when this out-of-session process was a SELinux-confined process creating files with its own SELinux label. Then the UID directory was created with a SELinux label different from the one expected by systemd.
Later, the mismatching label interfered with systemd when logging out a corresponding user.
This patch fixes it by creating the UID directories in a different path which is not managed by systemd. That path is /run/gnupg/user. GnuPG recognizes the path if it is compiled with
--enable-run-gnupg-user-socket option.
Unfortunatelly, this patch cannot keep precreating directories in the old /run/user path for compatibility with GnuPG built without that option because that would still break systemd. Also GPGME does not provide a way for checking how GnuPG was configured. Therefore users who rely on precreating the directories by librepo need to keep their librepo and GnuPG in synchronization. So this patch adds a new -DUSE_RUN_GNUPG_USER_SOCKET=ON CMake option to use /run/gnupg/user. A default behavior is using the old /run/user.
https://issues.redhat.com/browse/RHEL-10720