On a F29 system with unconfined disabled, running this service: $ > cat /usr/lib/systemd/system/sa-update.service ### Spamassassin Rules Updates ### # # http://wiki.apache.org/spamassassin/RuleUpdates # # sa-update automatically updates your rules once per day if a spam daemon like # spamd or amavisd are running. [Unit] Description=Spamassassin Rules Update Documentation=man:sa-update(1) [Service] # Note that the opposite of "yes" is the empty string, NOT "no" # Options for the actual sa-update command # These are added to the channel configuration from # /etc/mail/spamassassin/channel.d/*.conf Environment=OPTIONS=-v # Debug script - send mail even if no update available #Environment=DEBUG=yes # Send mail when updates successfully processed # Default: send mail only on error #Environment=NOTIFY_UPD=yes ExecStart=/usr/share/spamassassin/sa-update.cron SuccessExitStatus=1 Which uses these files: $ ls -lZ /usr/share/spamassassin/sa-update.cron -rwxr--r--. 1 root root system_u:object_r:bin_t:s0 3417 Sep 20 15:15 /usr/share/spamassassin/sa-update.cron* $ ls -lZ /usr/bin/sa-update -rwxr-xr-x. 1 root root system_u:object_r:spamd_update_exec_t:s0 69553 Sep 20 15:15 /usr/bin/sa-update* Causes these AVCs: type=AVC msg=audit(1543137120.573:748958): avc: denied { read open } for pid=19291 comm="sa-update.cron" path="/usr/bin/sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1543137120.573:748959): avc: denied { read } for pid=19291 comm="sa-update.cron" name="sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1543137120.573:748960): avc: denied { read } for pid=19291 comm="sa-update.cron" name="sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1543137120.573:748961): avc: denied { read } for pid=19291 comm="sa-update.cron" name="sa-update" dev="vdb" ino=1054047 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:spamd_update_exec_t:s0 tclass=file permissive=0
commit 9a217618d11e6691f391bcd1d1cd682f51b2654d Author: Lukas Vrabec <lvrabec> Date: Fri May 17 23:44:59 2019 +0200 Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
FEDORA-2019-04b9c67922 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-04b9c67922
selinux-policy-3.14.2-60.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.