2252484 – avc denials policykit_auth_t policykit_t spamd_update_t Fedora 39

Bug 2252484 - avc denials policykit_auth_t policykit_t spamd_update_t Fedora 39

Summary: avc denials policykit_auth_t policykit_t spamd_update_t Fedora 39

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	39
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2260636 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-12-01 23:27 UTC by Edgar Hoch
Modified:	2024-01-30 04:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-39.4-1.fc39
Clone Of:
Environment:
Last Closed:	2024-01-30 04:22:07 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Output of "ausearch --raw -m avc" in permissive mode (168.29 KB, text/plain) 2023-12-01 23:29 UTC, Edgar Hoch	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1984	0	None	open	Allow spamd_update_t the sys_ptrace capability in user namespace	2023-12-21 16:35:20 UTC

Description Edgar Hoch 2023-12-01 23:27:51 UTC

After installing Fedora 39 using my kickstart file with many packages (17637 currently) I got some avc denials.

ausearch --raw -m avc | audit2allow

results in

#============= policykit_auth_t ==============
allow policykit_auth_t proc_net_t:lnk_file read;
allow policykit_auth_t sysctl_net_t:dir search;
allow policykit_auth_t sysctl_net_t:file { getattr open read };

#============= policykit_t ==============
allow policykit_t proc_net_t:lnk_file read;
allow policykit_t sysctl_net_t:dir search;
allow policykit_t sysctl_net_t:file { getattr open read };

#============= spamd_update_t ==============
allow spamd_update_t self:cap_userns sys_ptrace;
allow spamd_update_t sysfs_t:dir read;
allow spamd_update_t sysfs_t:file read;


Reproducible: Always

Comment 1 Edgar Hoch 2023-12-01 23:29:17 UTC

Created attachment 2002411 [details]
Output of "ausearch --raw -m avc" in permissive mode

Comment 2 Zdenek Pytela 2023-12-04 09:27:35 UTC

Edgar,

Some of the reported denials have been addressed, but I don't have enough information about the sys_ptrace, do you have a direct reproducer, or can you collect denials with full auditing enabled?

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Comment 3 Edgar Hoch 2023-12-18 23:19:00 UTC

Sorry for the delay.

I found that the denials was reported every day short after midnight. I checked cron and systemd and found that services logrotate.service, sa-update.service and unbound-anchor.service are timed for midnight every day.

For logrotate.service, one file contains "pgrep", but I don't think that this caused the denial message, because it doesn't contain "spamd".
/etc/logrotate.d/glusterfs:    /usr/bin/killall -HUP `pgrep -f "glusterfs.*snapd"` > /dev/null 2>&1 || true

But sa-update.service calls /usr/share/spamassassin/sa-update.cron, which contains the following lines:

for daemon in mimedefang spamd amavisd spampd; do
    /usr/bin/pgrep -f $daemon >& /dev/null
    [ $? -eq 0 ] && SAUPDATE=yes
done

So I think the message is caused by package spamassassin-4.0.0-6.fc39.x86_64 .

type=AVC msg=audit(1702854015.017:42859): avc:  denied  { sys_ptrace } for  pid=1077477 comm="pgrep" capability=19  scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:spamd_update_t:s0 tclass=cap_userns permissive=1

I hope this helps.

Comment 4 Zdenek Pytela 2023-12-21 16:35:21 UTC

It's helpful, thank you, I haven't reproduced it yet.

Comment 5 Fedora Update System 2024-01-26 23:19:57 UTC

FEDORA-2024-334b3be641 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641

Comment 6 Fedora Update System 2024-01-27 02:35:14 UTC

FEDORA-2024-334b3be641 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-334b3be641`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Zdenek Pytela 2024-01-29 11:50:21 UTC

*** Bug 2260636 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2024-01-30 04:22:07 UTC

FEDORA-2024-334b3be641 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.