Bug 2369644

Summary: Allow `systemctl kill` in logrotate postrotate scripts
Product: [Fedora] Fedora Reporter: Marcos Mello <marcosfrm>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 42CC: dwalsh, lvrabec, mmalik, mschorm, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Flags: zpytela: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-41.43-1.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-06-07 06:46:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcos Mello 2025-06-01 18:29:53 UTC 
Discussion on devel:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2VLW4M6HTZUNKEBNOA4VYER2UTCEULQG/

Currently, logrotate configuration snippets using `systemctl kill` do not work, generating an AVC:

```
type=USER_AVC msg=audit(1748111593.330:131): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/php-fpm.service" cmdline="" function="bus_unit_method_kill" scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:httpd_unit_file_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
```
(selinux-policy-targeted-41.40-1.fc42.noarch)

The goal is to replace

```
kill -<signal> `cat /run/<pidfile> 2>/dev/null` 2>/dev/null || true
```

or even

```
kill -<signal> $(systemctl show --property MainPID --value <service>)
```

with

```
systemctl kill --signal=<signal> --kill-who=main <service> 2>/dev/null || true
```

It would be welcome for the SELinux policy to allow this, making logrotate postrotate scripts simpler and more elegant.
Comment 1 Zdenek Pytela 2025-06-04 15:13:26 UTC 
Marcos,

Can you check the coprbuild in the assigned pull request, or the following module if it is sufficient?

# cat local_logrotate_stop.cil
(allow logrotate_t systemd_unit_file_type (service (stop)))

# semodule -i local_logrotate_stop.cil
Comment 2 Marcos Mello 2025-06-04 17:18:02 UTC 
Thank you very much, with the copr repository version (41.42-1.20250604151109788839.pr2719.2.g5e916ff80.fc42), it worked. The output of `systemctl status php-fpm.service` confirms that the postrotate script action was executed (and without AVCs):

```
jun 04 14:03:52 fedora systemd[1]: php-fpm.service: Sent signal SIGUSR1 to main process 2753 (php-fpm) on client request.
```

I plan to file bugs for all packages where using `systemctl kill` makes sense in the logrotate configuration snippets. Should I suggest to the package maintainers that the changes be applied only to rawhide?
Comment 3 Zdenek Pytela 2025-06-04 17:37:58 UTC 
(In reply to Marcos Mello from comment #2)
> Thank you very much, with the copr repository version
> (41.42-1.20250604151109788839.pr2719.2.g5e916ff80.fc42), it worked. The
> output of `systemctl status php-fpm.service` confirms that the postrotate
> script action was executed (and without AVCs):
> 
> ```
> jun 04 14:03:52 fedora systemd[1]: php-fpm.service: Sent signal SIGUSR1 to
> main process 2753 (php-fpm) on client request.
> ```
> 
> I plan to file bugs for all packages where using `systemctl kill` makes
> sense in the logrotate configuration snippets. Should I suggest to the
> package maintainers that the changes be applied only to rawhide?

The policy is currently shared between F43, F42, F41.
Given the impact, I already allowed the permission for every service as seen in the discussion. Do you think this is not necessary?
Comment 4 Marcos Mello 2025-06-04 17:54:05 UTC 
It's perfect as it is. My concern is whether, if package maintainers add `systemctl kill` to logrotate configuration snippets in updates for F42 or F41, there's a possibility that the SELinux policy hasn't been updated yet to include this change, which could impair the log rotation of the daemon in question.
Comment 5 Fedora Update System 2025-06-04 19:43:03 UTC 
FEDORA-2025-f9f097f491 (selinux-policy-41.43-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491
Comment 6 Fedora Update System 2025-06-05 02:36:02 UTC 
FEDORA-2025-f9f097f491 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-f9f097f491`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Zdenek Pytela 2025-06-05 08:11:08 UTC 
(In reply to Marcos Mello from comment #4)
> It's perfect as it is. My concern is whether, if package maintainers add
> `systemctl kill` to logrotate configuration snippets in updates for F42 or
> F41, there's a possibility that the SELinux policy hasn't been updated yet
> to include this change, which could impair the log rotation of the daemon in
> question.

Builds for all three supported releases are on the way.
Comment 8 Fedora Update System 2025-06-07 06:46:34 UTC 
FEDORA-2025-f9f097f491 (selinux-policy-41.43-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.