Discussion on devel: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2VLW4M6HTZUNKEBNOA4VYER2UTCEULQG/ Currently, logrotate configuration snippets using `systemctl kill` do not work, generating an AVC: ``` type=USER_AVC msg=audit(1748111593.330:131): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/php-fpm.service" cmdline="" function="bus_unit_method_kill" scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:httpd_unit_file_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root" ``` (selinux-policy-targeted-41.40-1.fc42.noarch) The goal is to replace ``` kill -<signal> `cat /run/<pidfile> 2>/dev/null` 2>/dev/null || true ``` or even ``` kill -<signal> $(systemctl show --property MainPID --value <service>) ``` with ``` systemctl kill --signal=<signal> --kill-who=main <service> 2>/dev/null || true ``` It would be welcome for the SELinux policy to allow this, making logrotate postrotate scripts simpler and more elegant.
Marcos, Can you check the coprbuild in the assigned pull request, or the following module if it is sufficient? # cat local_logrotate_stop.cil (allow logrotate_t systemd_unit_file_type (service (stop))) # semodule -i local_logrotate_stop.cil
Thank you very much, with the copr repository version (41.42-1.20250604151109788839.pr2719.2.g5e916ff80.fc42), it worked. The output of `systemctl status php-fpm.service` confirms that the postrotate script action was executed (and without AVCs): ``` jun 04 14:03:52 fedora systemd[1]: php-fpm.service: Sent signal SIGUSR1 to main process 2753 (php-fpm) on client request. ``` I plan to file bugs for all packages where using `systemctl kill` makes sense in the logrotate configuration snippets. Should I suggest to the package maintainers that the changes be applied only to rawhide?
(In reply to Marcos Mello from comment #2) > Thank you very much, with the copr repository version > (41.42-1.20250604151109788839.pr2719.2.g5e916ff80.fc42), it worked. The > output of `systemctl status php-fpm.service` confirms that the postrotate > script action was executed (and without AVCs): > > ``` > jun 04 14:03:52 fedora systemd[1]: php-fpm.service: Sent signal SIGUSR1 to > main process 2753 (php-fpm) on client request. > ``` > > I plan to file bugs for all packages where using `systemctl kill` makes > sense in the logrotate configuration snippets. Should I suggest to the > package maintainers that the changes be applied only to rawhide? The policy is currently shared between F43, F42, F41. Given the impact, I already allowed the permission for every service as seen in the discussion. Do you think this is not necessary?
It's perfect as it is. My concern is whether, if package maintainers add `systemctl kill` to logrotate configuration snippets in updates for F42 or F41, there's a possibility that the SELinux policy hasn't been updated yet to include this change, which could impair the log rotation of the daemon in question.
FEDORA-2025-f9f097f491 (selinux-policy-41.43-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491
FEDORA-2025-f9f097f491 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-f9f097f491` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f9f097f491 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
(In reply to Marcos Mello from comment #4) > It's perfect as it is. My concern is whether, if package maintainers add > `systemctl kill` to logrotate configuration snippets in updates for F42 or > F41, there's a possibility that the SELinux policy hasn't been updated yet > to include this change, which could impair the log rotation of the daemon in > question. Builds for all three supported releases are on the way.
FEDORA-2025-f9f097f491 (selinux-policy-41.43-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
I tried every way to open a bug report in CentOS Stream but haven't had any luck since the migration to Jira -- I always get "You don't have access to redhat.atlassian.net". So I'm trying here. selinux-policy-41.43 is required for `systemctl kill` in logrotate configuration fragments. CentOS Stream 10 has already been rebased to policy version 42 and supports this. Please backport the following commit to the CentOS Stream 9 policy: https://github.com/fedora-selinux/selinux-policy/commit/3daaed0cc20a19afd48e82231d1d0ae45129d66d -- this would simplify maintenance for EPEL package maintainers. A backport to RHEL 8 would also help. Note that RHEL 8 does not support the `--kill-whom` option of `systemctl kill`; in that case maintainers must use the older `--kill-who` option. I can file bugs for affected EPEL 8 packages if you confirm backporting the commit to RHEL 8 is feasible, since CentOS Stream 8 is EOL. Thank you for your time.