Description of problem: SpamAssassin installs a systemd timer called sa-update.timer. This timer runs sa-update.service. Upon update, the sa-update service tries to check the status of, and restart, the spamassassin.service, but fails due to SELinux. The following error messages are emitted per run: type=USER_AVC msg=audit(03/30/2020 21:10:35.934:185392) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/spamassassin.service cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(03/30/2020 21:10:42.449:185395) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=root uid=root gid=root cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.3-56.fc30.noarch spamassassin-3.4.4-1.fc30.x86_64 How reproducible: Always Steps to Reproduce: 1. Install SpamAssassin. 2. Wait for sa-update.timer to fire. 3. Watch audit logs for AVC error. Actual results: sa-update.timer fails to restart spamassassin.service Expected results: sa-update.timer successully restarts spamassassin.service Additional info: N/A
Hi, I've the same problem and managed to cure it using this hand-made module: before: # sesearch -A -s spamd_update_t -c service allow spamd_update_t antivirus_unit_file_t:service { disable enable reload start status stop }; the custom module: # cat selinux/localSpam.te module localSpam 1.0; require { type spamd_update_t; type init_t; type systemd_unit_file_t; class service start; class system status; } #============= spamd_update_t ============== allow spamd_update_t init_t:system status; allow spamd_update_t systemd_unit_file_t:service start; # semodule -i localSpam.pp and after: # sesearch -A -s spamd_update_t -c service allow spamd_update_t antivirus_unit_file_t:service { disable enable reload start status stop }; allow spamd_update_t systemd_unit_file_t:service start; Thank you Zdenek Pytela for your insights! Laurent
FYI, I'm on f31 regards Laurent
allow spamd_update_t systemd_unit_file_t:service status; is also needed. regards Laurent Jacquot
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
---- type=USER_AVC msg=audit(11/04/2020 00:47:08.262:444) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/spamassassin.service cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(11/04/2020 00:47:08.275:445) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- # rpm -qa selinux\* spam\* | sort selinux-policy-3.14.6-29.fc33.noarch selinux-policy-targeted-3.14.6-29.fc33.noarch spamassassin-3.4.4-6.fc33.x86_64 #
*** Bug 1831559 has been marked as a duplicate of this bug. ***
I noticed this on F32 in my duplicate bug 1831559. Since @mmalik now found it on F33 too, I upgrade the version appropriately.
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
The problem still remains in F35. selinux-policy-targeted-35.5-1.fc35.noarch
This seems to affect my RHEL 8.6 systems as well.
I should clarify, the problem I note on RHEL 8.6 is that the systemd unit file is denied the ability to run pgrep, so the active part of the update script never runs. (This seems to be described in #1711799 in more detail.) The relevant attempts to access procfs (via pgrep) from the spamd_update_t domain are marked as dontaudit in the selinux-policy, which makes this difficult to identify. The directory filecontext in /proc/[pid] is that of each running process which makes crafting a narrow policy exception challenging overall, but I've found that this module is sufficient to allow identification of a running spamd: module sa-update 1.0; require { type spamd_update_t; type spamd_t; class dir { getattr search }; class file { read open }; } allow spamd_update_t spamd_t:dir { getattr search }; allow spamd_update_t spamd_t:file { read open }; Ideally this should also include the contexts for the other apps checked in pgrep: - mimedefang - amavisd - spampd
(In reply to Jered Floyd from comment #13) > This seems to affect my RHEL 8.6 systems as well. Please file a bz for RHEL 8 then. This is a F36 bz for a different problem, the ones reported by you are already addressed: f36# sesearch -A -s spamd_update_t -t spamd_t -c dir allow spamd_update_t domain:dir { getattr ioctl lock open read search }; f36# sesearch -A -s spamd_update_t -t spamd_t -c file allow spamd_update_t domain:file { getattr ioctl lock open read };
FEDORA-2022-70c63dd1e2 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2
FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-70c63dd1e2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.