Bug 2369644 - Allow `systemctl kill` in logrotate postrotate scripts
Summary: Allow `systemctl kill` in logrotate postrotate scripts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-01 18:29 UTC by Marcos Mello
Modified: 2025-06-07 06:46 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-41.43-1.fc42
Clone Of:
Environment:
Last Closed: 2025-06-07 06:46:34 UTC
Type: Bug
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2719 0 None open Allow logrotate stop all systemd services 2025-06-04 15:13:25 UTC
Red Hat Issue Tracker FC-1709 0 None None None 2025-06-02 08:32:03 UTC

Description Marcos Mello 2025-06-01 18:29:53 UTC 
Discussion on devel:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2VLW4M6HTZUNKEBNOA4VYER2UTCEULQG/

Currently, logrotate configuration snippets using `systemctl kill` do not work, generating an AVC:

```
type=USER_AVC msg=audit(1748111593.330:131): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/php-fpm.service" cmdline="" function="bus_unit_method_kill" scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:httpd_unit_file_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
```
(selinux-policy-targeted-41.40-1.fc42.noarch)

The goal is to replace

```
kill -<signal> `cat /run/<pidfile> 2>/dev/null` 2>/dev/null || true
```

or even

```
kill -<signal> $(systemctl show --property MainPID --value <service>)
```

with

```
systemctl kill --signal=<signal> --kill-who=main <service> 2>/dev/null || true
```

It would be welcome for the SELinux policy to allow this, making logrotate postrotate scripts simpler and more elegant.
Comment 1 Zdenek Pytela 2025-06-04 15:13:26 UTC 
Marcos,

Can you check the coprbuild in the assigned pull request, or the following module if it is sufficient?

# cat local_logrotate_stop.cil
(allow logrotate_t systemd_unit_file_type (service (stop)))

# semodule -i local_logrotate_stop.cil
Comment 2 Marcos Mello 2025-06-04 17:18:02 UTC 
Thank you very much, with the copr repository version (41.42-1.20250604151109788839.pr2719.2.g5e916ff80.fc42), it worked. The output of `systemctl status php-fpm.service` confirms that the postrotate script action was executed (and without AVCs):

```
jun 04 14:03:52 fedora systemd[1]: php-fpm.service: Sent signal SIGUSR1 to main process 2753 (php-fpm) on client request.
```

I plan to file bugs for all packages where using `systemctl kill` makes sense in the logrotate configuration snippets. Should I suggest to the package maintainers that the changes be applied only to rawhide?
Comment 3 Zdenek Pytela 2025-06-04 17:37:58 UTC 
(In reply to Marcos Mello from comment #2)
> Thank you very much, with the copr repository version
> (41.42-1.20250604151109788839.pr2719.2.g5e916ff80.fc42), it worked. The
> output of `systemctl status php-fpm.service` confirms that the postrotate
> script action was executed (and without AVCs):
> 
> ```
> jun 04 14:03:52 fedora systemd[1]: php-fpm.service: Sent signal SIGUSR1 to
> main process 2753 (php-fpm) on client request.
> ```
> 
> I plan to file bugs for all packages where using `systemctl kill` makes
> sense in the logrotate configuration snippets. Should I suggest to the
> package maintainers that the changes be applied only to rawhide?

The policy is currently shared between F43, F42, F41.
Given the impact, I already allowed the permission for every service as seen in the discussion. Do you think this is not necessary?
Comment 4 Marcos Mello 2025-06-04 17:54:05 UTC 
It's perfect as it is. My concern is whether, if package maintainers add `systemctl kill` to logrotate configuration snippets in updates for F42 or F41, there's a possibility that the SELinux policy hasn't been updated yet to include this change, which could impair the log rotation of the daemon in question.
Comment 5 Fedora Update System 2025-06-04 19:43:03 UTC 
FEDORA-2025-f9f097f491 (selinux-policy-41.43-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491
Comment 6 Fedora Update System 2025-06-05 02:36:02 UTC 
FEDORA-2025-f9f097f491 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-f9f097f491`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Zdenek Pytela 2025-06-05 08:11:08 UTC 
(In reply to Marcos Mello from comment #4)
> It's perfect as it is. My concern is whether, if package maintainers add
> `systemctl kill` to logrotate configuration snippets in updates for F42 or
> F41, there's a possibility that the SELinux policy hasn't been updated yet
> to include this change, which could impair the log rotation of the daemon in
> question.

Builds for all three supported releases are on the way.
Comment 8 Fedora Update System 2025-06-07 06:46:34 UTC 
FEDORA-2025-f9f097f491 (selinux-policy-41.43-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.