1831559 – sa-update is not allowed to restart spamassassin

Bug 1831559 - sa-update is not allowed to restart spamassassin

Summary: sa-update is not allowed to restart spamassassin

Keywords:
Status:	CLOSED DUPLICATE of bug 1819017
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-05 09:30 UTC by Göran Uddeborg
Modified:	2020-11-12 09:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-05 20:38:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Göran Uddeborg 2020-05-05 09:30:40 UTC

(This is a followup to bug 1711799 which got mostly solved, but had some residue.  Since that bug has become a bit messy, I'm creating this separate report for the remainder.)

Description of problem:
The sa-update cron job wants to condrestart the spamassassin service after having downloaded updated information.  It isn't allowed to do that.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.5-32.fc32.noarch


Steps to Reproduce:
1. Enable spamassassin and sa-update


Actual results:
The spamd daemon is not restarted, and those AVC:s show up in the log:

time->Tue May  5 00:36:12 2020
type=USER_AVC msg=audit(1588631772.884:584901): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/spamassassin.service" cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Tue May  5 00:36:12 2020
type=USER_AVC msg=audit(1588631772.890:584902): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


Expected results:
The spamd server should have been restarted.


Additional info:

The following additional module seems to fix the problem.

module sa-updatefix 1.12;

require {
	type init_t;
        type spamd_update_t;
	type systemd_unit_file_t;
	all_kernel_class_perms
}

allow spamd_update_t init_t:system status;
allow spamd_update_t systemd_unit_file_t:service { start };

Comment 1 Zdenek Pytela 2020-05-05 12:21:02 UTC

Hi,

Thank you for reporting the issue. We need to confine /usr/lib/systemd/system/spamassassin.service which will need a few more changes in other modules.

Comment 2 Milos Malik 2020-11-04 08:35:23 UTC

I believe this bug is a duplicate of BZ#1819017.

Comment 4 Göran Uddeborg 2020-11-05 20:38:25 UTC

Except that bug is for Fedora 31, it does indeed seem to be a duplicate.

*** This bug has been marked as a duplicate of bug 1819017 ***

Note You need to log in before you can comment on or make changes to this bug.