This is f31 fully updated The package pyzor, used for checking mails to avoid spam, wants to access /proc/net when used from procmail: # grep spamc /etc/procmailrc | /usr/bin/spamc -u $USER -d 127.0.0.1 -p 783 spamassassin is configured to uses pyzor: # grep pyzor /etc/mail/spamassassin/local.cf use_pyzor 1 pyzor_timeout 20 # grep Pyzor /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::Pyzor but then each time a mail is checked there is this avc: # ausearch -m avc -su spamc_t -ts 07/04/2020 |tail -1 type=AVC msg=audit(1586353691.120:6538): avc: denied { read } for pid=343477 comm="pyzor" name="unix" dev="proc" ino=4026532056 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 # ll -i /proc/net/unix 4026532056 -r--r--r--. 1 root root 0 11 avril 11:52 /proc/net/unix this custom module stops those avc, but maybe a don't audit rules is better? # cat selinux/localSpam.te require { type proc_net_t; type spamc_t; class file read; } #============= spamc_t ============== allow spamc_t proc_net_t:file read; regards Laurent Jacquot
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/235
commit 14d69bd0bab57b057a1cb94fcf150fdeee0c98c4 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Thu Apr 16 12:27:10 2020 +0200 Allow spamc_t domain to read network state Resolves: rhbz#1823061 Backported to F32 and F31.
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.