Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PGP: Set a default creation SELinux labels on GnuPG directories #289

Merged

Conversation

ppisar
Copy link
Contributor

@ppisar ppisar commented Oct 18, 2023

This is another way how to fix mismatching SELinux context on /run/user directories without moving the directories to /run/gnupg/user.

librepo used to precreate the directory in /run/user to make sure a GnuPG agent executed by GPGME library places its socket there.

The directories there are normally created and removed by systemd (logind PAM session). librepo created them for a case when a package manager is invoked out of systemd session, before the super user logs in. E.g. by a timer job to cache repository metadata.

A problem was when this out-of-session process was a SELinux-confined process creating files with its own SELinux label different from a DNF program. Then the directory was created with a SELinux label different from the one expected by systemd and when logging out a corresponding user, the mismatching label clashed with systemd.

This patch fixes the issue by choosing a SELinux label of those directories to the label defined in a default SELinux file context database.

This patch adds a new -DENABLE_SELINUX=OFF CMake option to disable the new dependency on libselinux. A default behavior is to support SELinux only if GPGME backend is selected with -DUSE_GPGME=ON.

https://issues.redhat.com/browse/RHEL-10720

This is another way how to fix mismatching SELinux context on
/run/user directories without moving the directories to
/run/gnupg/user.

librepo used to precreate the directory in /run/user to make sure
a GnuPG agent executed by GPGME library places its socket there.

The directories there are normally created and removed by systemd
(logind PAM session). librepo created them for a case when a package
manager is invoked out of systemd session, before the super user logs
in. E.g. by a timer job to cache repository metadata.

A problem was when this out-of-session process was a SELinux-confined
process creating files with its own SELinux label different from a DNF
program. Then the directory was created with a SELinux label different
from the one expected by systemd and when logging out a corresponding
user, the mismatching label clashed with systemd.

This patch fixes the issue by choosing a SELinux label of those
directories to the label defined in a default SELinux file context
database.

This patch adds a new -DENABLE_SELINUX=OFF CMake option to disable the
new dependency on libselinux. A default behavior is to support SELinux
only if GPGME backend is selected with -DUSE_GPGME=ON.

https://issues.redhat.com/browse/RHEL-10720
@ppisar
Copy link
Contributor Author

ppisar commented Oct 18, 2023

The CI test fails because of misconfigured CI (rhel-8.10 branch is built and tested in Fedora 38 environment and then installation of built librepo RPM pakcages fails because a system has installed a far higher librepo NEVRA).

@jan-kolarik jan-kolarik self-assigned this Oct 24, 2023
@jan-kolarik jan-kolarik merged commit 08f02de into rpm-software-management:rhel-8.10 Oct 24, 2023
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

2 participants