Bug 2252484

Summary: avc denials policykit_auth_t policykit_t spamd_update_t Fedora 39
Product: [Fedora] Fedora Reporter: Edgar Hoch <edgar.hoch>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 39CC: dwalsh, loye.young, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-39.4-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-30 04:22:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output of "ausearch --raw -m avc" in permissive mode none

Description Edgar Hoch 2023-12-01 23:27:51 UTC 
After installing Fedora 39 using my kickstart file with many packages (17637 currently) I got some avc denials.

ausearch --raw -m avc | audit2allow

results in

#============= policykit_auth_t ==============
allow policykit_auth_t proc_net_t:lnk_file read;
allow policykit_auth_t sysctl_net_t:dir search;
allow policykit_auth_t sysctl_net_t:file { getattr open read };

#============= policykit_t ==============
allow policykit_t proc_net_t:lnk_file read;
allow policykit_t sysctl_net_t:dir search;
allow policykit_t sysctl_net_t:file { getattr open read };

#============= spamd_update_t ==============
allow spamd_update_t self:cap_userns sys_ptrace;
allow spamd_update_t sysfs_t:dir read;
allow spamd_update_t sysfs_t:file read;


Reproducible: Always
Comment 1 Edgar Hoch 2023-12-01 23:29:17 UTC 
Created attachment 2002411 [details]
Output of "ausearch --raw -m avc" in permissive mode
Comment 2 Zdenek Pytela 2023-12-04 09:27:35 UTC 
Edgar,

Some of the reported denials have been addressed, but I don't have enough information about the sys_ptrace, do you have a direct reproducer, or can you collect denials with full auditing enabled?

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
Comment 3 Edgar Hoch 2023-12-18 23:19:00 UTC 
Sorry for the delay.

I found that the denials was reported every day short after midnight. I checked cron and systemd and found that services logrotate.service, sa-update.service and unbound-anchor.service are timed for midnight every day.

For logrotate.service, one file contains "pgrep", but I don't think that this caused the denial message, because it doesn't contain "spamd".
/etc/logrotate.d/glusterfs:    /usr/bin/killall -HUP `pgrep -f "glusterfs.*snapd"` > /dev/null 2>&1 || true

But sa-update.service calls /usr/share/spamassassin/sa-update.cron, which contains the following lines:

for daemon in mimedefang spamd amavisd spampd; do
    /usr/bin/pgrep -f $daemon >& /dev/null
    [ $? -eq 0 ] && SAUPDATE=yes
done

So I think the message is caused by package spamassassin-4.0.0-6.fc39.x86_64 .

type=AVC msg=audit(1702854015.017:42859): avc:  denied  { sys_ptrace } for  pid=1077477 comm="pgrep" capability=19  scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:spamd_update_t:s0 tclass=cap_userns permissive=1

I hope this helps.
Comment 4 Zdenek Pytela 2023-12-21 16:35:21 UTC 
It's helpful, thank you, I haven't reproduced it yet.
Comment 5 Fedora Update System 2024-01-26 23:19:57 UTC 
FEDORA-2024-334b3be641 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641
Comment 6 Fedora Update System 2024-01-27 02:35:14 UTC 
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-334b3be641`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Zdenek Pytela 2024-01-29 11:50:21 UTC 
*** Bug 2260636 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Update System 2024-01-30 04:22:07 UTC 
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.