Created attachment 1574551 [details] extracted AVCs Description of problem: Install and operation of spamassassin creates a systemd job, via /usr/lib/systemd/system/sa-update.service When that service runs, it calls pgrep, which then generates 100's of AVC on access to the /proc fs. Version-Release number of selected component (if applicable): spamassassin-3.4.2-4.fc30.x86_64 How reproducible: 100% Steps to Reproduce: 1. install and start spamassassin 2. 3. Actual results: Expected results: Additional info: typical AVC: type=AVC msg=audit(1558501200.531:945): avc: denied { getattr } for pid=19301 comm="pgrep" path="/proc/2" dev="proc" ino=12870 scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0
Created attachment 1574552 [details] the generated .te
Created attachment 1574553 [details] the .cil output
Moving to selinux-policy for comment. This would likely also be fixed by moving sa-update to a proper unit file.
commit 9c3b5d3308f713cb66554ab3d85cffd73861c6fc Author: Lukas Vrabec <lvrabec> Date: Tue May 21 15:39:13 2019 +0200 Dontaudit spamd_update_t domain to read all domains states BZ(1711799)
FEDORA-2019-3f20be4d52 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52
selinux-policy-3.14.3-38.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52
looks good, no messages of course, and no error. ... Jun 1 00:00:07 host systemd[1]: sa-update.service: Succeeded.
Alas, after a reboot, the issue returned. When I tested the update it was applied to the running system, after removing the semanage permissive, and after removing the local module. On reboot, same behavior as the original open was just noticed after seeing console log, at least message-wise. [57107.643675] audit_log_start: 7 callbacks suppressed [57107.643676] audit: audit_backlog=65 > audit_backlog_limit=64 [57107.654554] audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=64 [57107.661557] audit: backlog limit exceeded Investigating that showed the denials. Nowever, the sa-update appeared to succeed: Jun 9 00:00:05 xxxx systemd[1]: sa-update.service: Succeeded. ausearch -m AVC,USER_AVC,SELINUX_ERR --start "06/09/2019" --raw |wc -l 795 # rpm -q selinux-policy selinux-policy-3.14.3-37.fc30.noarch
Hi Doug, You're saying that sa-update succeed, so where you see bug? Thanks, Lukas.
(In reply to Lukas Vrabec from comment #9) > Hi Doug, > > You're saying that sa-update succeed, so where you see bug? > > Thanks, > Lukas. meh. The ~800 log entries complaining about the failed transitions are from the backup mail server, which did *not* get the update. Just curious, how long will the fix be stuck in updates-testing v. just updates. Will update this bug status tomorrow, the cronjob ran between when I saw this and pulled from updates-testing on that system. When retrying it didn't actually run sa-update as it had just run. Or maybe it did, but it sure completed very quickly. # rpm -q selinux-policy selinux-policy-3.14.3-38.fc30.noarch Will know for sure in 24 hours.
(In reply to Doug Maxey from comment #10) > (In reply to Lukas Vrabec from comment #9) > > Hi Doug, > > > > You're saying that sa-update succeed, so where you see bug? > > > > Thanks, > > Lukas. > > meh. The ~800 log entries complaining about the failed transitions are from > the backup mail server, which did *not* get the update. > > Just curious, how long will the fix be stuck in updates-testing v. just > updates. > > Will update this bug status tomorrow, the cronjob ran between when I saw > this and pulled from updates-testing on that system. When retrying it didn't > actually run sa-update as it had just run. Or maybe it did, but it sure > completed very quickly. > > # rpm -q selinux-policy > selinux-policy-3.14.3-38.fc30.noarch > > Will know for sure in 24 hours. ok, it was the un-updated version on the alternate server that was complaining. Once updated, sa-update has no error messages.
FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.