(This is a followup to bug 1711799 which got mostly solved, but had some residue. Since that bug has become a bit messy, I'm creating this separate report for the remainder.) Description of problem: The sa-update cron job wants to condrestart the spamassassin service after having downloaded updated information. It isn't allowed to do that. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.5-32.fc32.noarch Steps to Reproduce: 1. Enable spamassassin and sa-update Actual results: The spamd daemon is not restarted, and those AVC:s show up in the log: time->Tue May 5 00:36:12 2020 type=USER_AVC msg=audit(1588631772.884:584901): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/spamassassin.service" cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue May 5 00:36:12 2020 type=USER_AVC msg=audit(1588631772.890:584902): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Expected results: The spamd server should have been restarted. Additional info: The following additional module seems to fix the problem. module sa-updatefix 1.12; require { type init_t; type spamd_update_t; type systemd_unit_file_t; all_kernel_class_perms } allow spamd_update_t init_t:system status; allow spamd_update_t systemd_unit_file_t:service { start };
Hi, Thank you for reporting the issue. We need to confine /usr/lib/systemd/system/spamassassin.service which will need a few more changes in other modules.
I believe this bug is a duplicate of BZ#1819017.
Except that bug is for Fedora 31, it does indeed seem to be a duplicate. *** This bug has been marked as a duplicate of bug 1819017 ***