Bug 1831559

Summary: sa-update is not allowed to restart spamassassin
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-05 20:38:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2020-05-05 09:30:40 UTC 
(This is a followup to bug 1711799 which got mostly solved, but had some residue.  Since that bug has become a bit messy, I'm creating this separate report for the remainder.)

Description of problem:
The sa-update cron job wants to condrestart the spamassassin service after having downloaded updated information.  It isn't allowed to do that.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.5-32.fc32.noarch


Steps to Reproduce:
1. Enable spamassassin and sa-update


Actual results:
The spamd daemon is not restarted, and those AVC:s show up in the log:

time->Tue May  5 00:36:12 2020
type=USER_AVC msg=audit(1588631772.884:584901): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/spamassassin.service" cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Tue May  5 00:36:12 2020
type=USER_AVC msg=audit(1588631772.890:584902): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


Expected results:
The spamd server should have been restarted.


Additional info:

The following additional module seems to fix the problem.

module sa-updatefix 1.12;

require {
	type init_t;
        type spamd_update_t;
	type systemd_unit_file_t;
	all_kernel_class_perms
}

allow spamd_update_t init_t:system status;
allow spamd_update_t systemd_unit_file_t:service { start };
Comment 1 Zdenek Pytela 2020-05-05 12:21:02 UTC 
Hi,

Thank you for reporting the issue. We need to confine /usr/lib/systemd/system/spamassassin.service which will need a few more changes in other modules.
Comment 2 Milos Malik 2020-11-04 08:35:23 UTC 
I believe this bug is a duplicate of BZ#1819017.
Comment 4 Göran Uddeborg 2020-11-05 20:38:25 UTC 
Except that bug is for Fedora 31, it does indeed seem to be a duplicate.

*** This bug has been marked as a duplicate of bug 1819017 ***