Bug 2252484 - avc denials policykit_auth_t policykit_t spamd_update_t Fedora 39
Summary: avc denials policykit_auth_t policykit_t spamd_update_t Fedora 39
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 39
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
: 2260636 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2023-12-01 23:27 UTC by Edgar Hoch
Modified: 2024-01-30 04:22 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-39.4-1.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2024-01-30 04:22:07 UTC
Type: ---

Attachments (Terms of Use)
Output of "ausearch --raw -m avc" in permissive mode (168.29 KB, text/plain)
2023-12-01 23:29 UTC, Edgar Hoch
no flags Details

System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1984 0 None open Allow spamd_update_t the sys_ptrace capability in user namespace 2023-12-21 16:35:20 UTC

Description Edgar Hoch 2023-12-01 23:27:51 UTC
After installing Fedora 39 using my kickstart file with many packages (17637 currently) I got some avc denials.

ausearch --raw -m avc | audit2allow

results in

#============= policykit_auth_t ==============
allow policykit_auth_t proc_net_t:lnk_file read;
allow policykit_auth_t sysctl_net_t:dir search;
allow policykit_auth_t sysctl_net_t:file { getattr open read };

#============= policykit_t ==============
allow policykit_t proc_net_t:lnk_file read;
allow policykit_t sysctl_net_t:dir search;
allow policykit_t sysctl_net_t:file { getattr open read };

#============= spamd_update_t ==============
allow spamd_update_t self:cap_userns sys_ptrace;
allow spamd_update_t sysfs_t:dir read;
allow spamd_update_t sysfs_t:file read;

Reproducible: Always

Comment 1 Edgar Hoch 2023-12-01 23:29:17 UTC
Created attachment 2002411 [details]
Output of "ausearch --raw -m avc" in permissive mode

Comment 2 Zdenek Pytela 2023-12-04 09:27:35 UTC

Some of the reported denials have been addressed, but I don't have enough information about the sys_ptrace, do you have a direct reproducer, or can you collect denials with full auditing enabled?


Comment 3 Edgar Hoch 2023-12-18 23:19:00 UTC
Sorry for the delay.

I found that the denials was reported every day short after midnight. I checked cron and systemd and found that services logrotate.service, sa-update.service and unbound-anchor.service are timed for midnight every day.

For logrotate.service, one file contains "pgrep", but I don't think that this caused the denial message, because it doesn't contain "spamd".
/etc/logrotate.d/glusterfs:    /usr/bin/killall -HUP `pgrep -f "glusterfs.*snapd"` > /dev/null 2>&1 || true

But sa-update.service calls /usr/share/spamassassin/sa-update.cron, which contains the following lines:

for daemon in mimedefang spamd amavisd spampd; do
    /usr/bin/pgrep -f $daemon >& /dev/null
    [ $? -eq 0 ] && SAUPDATE=yes

So I think the message is caused by package spamassassin-4.0.0-6.fc39.x86_64 .

type=AVC msg=audit(1702854015.017:42859): avc:  denied  { sys_ptrace } for  pid=1077477 comm="pgrep" capability=19  scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:spamd_update_t:s0 tclass=cap_userns permissive=1

I hope this helps.

Comment 4 Zdenek Pytela 2023-12-21 16:35:21 UTC
It's helpful, thank you, I haven't reproduced it yet.

Comment 5 Fedora Update System 2024-01-26 23:19:57 UTC
FEDORA-2024-334b3be641 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641

Comment 6 Fedora Update System 2024-01-27 02:35:14 UTC
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-334b3be641`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Zdenek Pytela 2024-01-29 11:50:21 UTC
*** Bug 2260636 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2024-01-30 04:22:07 UTC
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.