Bug 1653101 - Spamassassin update AVCs
Summary: Spamassassin update AVCs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-25 19:42 UTC by Robin Powell
Modified: 2019-06-17 23:33 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.14.2-60.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-17 23:33:12 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Robin Powell 2018-11-25 19:42:10 UTC
On a F29 system with unconfined disabled, running this service:

$ > cat /usr/lib/systemd/system/sa-update.service
### Spamassassin Rules Updates ###
#
# http://wiki.apache.org/spamassassin/RuleUpdates
#
# sa-update automatically updates your rules once per day if a spam daemon like
# spamd or amavisd are running.

[Unit]
Description=Spamassassin Rules Update
Documentation=man:sa-update(1)

[Service]
# Note that the opposite of "yes" is the empty string, NOT "no"
# Options for the actual sa-update command
# These are added to the channel configuration from
# /etc/mail/spamassassin/channel.d/*.conf
Environment=OPTIONS=-v

# Debug script - send mail even if no update available
#Environment=DEBUG=yes

# Send mail when updates successfully processed
# Default: send mail only on error
#Environment=NOTIFY_UPD=yes

ExecStart=/usr/share/spamassassin/sa-update.cron

SuccessExitStatus=1

Which uses these files:

$ ls -lZ /usr/share/spamassassin/sa-update.cron
-rwxr--r--. 1 root root system_u:object_r:bin_t:s0 3417 Sep 20 15:15 /usr/share/spamassassin/sa-update.cron*
$ ls -lZ /usr/bin/sa-update
-rwxr-xr-x. 1 root root system_u:object_r:spamd_update_exec_t:s0 69553 Sep 20 15:15 /usr/bin/sa-update*

Causes these AVCs:

type=AVC msg=audit(1543137120.573:748958): avc:  denied  { read open } for  pid=19291 comm="sa-update.cron" path="/usr/bin/sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1543137120.573:748959): avc:  denied  { read } for  pid=19291 comm="sa-update.cron" name="sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1543137120.573:748960): avc:  denied  { read } for  pid=19291 comm="sa-update.cron" name="sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1543137120.573:748961): avc:  denied  { read } for  pid=19291 comm="sa-update.cron" name="sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0

Comment 1 Lukas Vrabec 2019-05-22 20:49:26 UTC
commit 9a217618d11e6691f391bcd1d1cd682f51b2654d
Author: Lukas Vrabec <lvrabec>
Date:   Fri May 17 23:44:59 2019 +0200

    Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t

Comment 2 Fedora Update System 2019-05-31 08:47:38 UTC
FEDORA-2019-04b9c67922 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922

Comment 3 Fedora Update System 2019-06-01 18:54:46 UTC
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922

Comment 4 Fedora Update System 2019-06-17 23:33:12 UTC
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.