Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1714823
Summary: | cron job run daily that calls sa-update throws 100's of AVCs on pgrep | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Doug Maxey <bz> | ||||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 30 | CC: | dwalsh, jskarvad, kevin, lvrabec, mgrepl, nb, olysonek, plautrba, wtogami, zpytela | ||||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | selinux-policy-3.14.3-39.fc30 | Doc Type: | If docs needed, set a value | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2019-06-15 06:27:52 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Created attachment 1574552 [details]
the generated .te
Created attachment 1574553 [details]
the .cil output
Moving to selinux-policy for comment. This would likely also be fixed by moving sa-update to a proper unit file. commit 9c3b5d3308f713cb66554ab3d85cffd73861c6fc Author: Lukas Vrabec <lvrabec> Date: Tue May 21 15:39:13 2019 +0200 Dontaudit spamd_update_t domain to read all domains states BZ(1711799) FEDORA-2019-3f20be4d52 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52 selinux-policy-3.14.3-38.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52 looks good, no messages of course, and no error. ... Jun 1 00:00:07 host systemd[1]: sa-update.service: Succeeded. Alas, after a reboot, the issue returned. When I tested the update it was applied to the running system, after removing the semanage permissive, and after removing the local module. On reboot, same behavior as the original open was just noticed after seeing console log, at least message-wise. [57107.643675] audit_log_start: 7 callbacks suppressed [57107.643676] audit: audit_backlog=65 > audit_backlog_limit=64 [57107.654554] audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=64 [57107.661557] audit: backlog limit exceeded Investigating that showed the denials. Nowever, the sa-update appeared to succeed: Jun 9 00:00:05 xxxx systemd[1]: sa-update.service: Succeeded. ausearch -m AVC,USER_AVC,SELINUX_ERR --start "06/09/2019" --raw |wc -l 795 # rpm -q selinux-policy selinux-policy-3.14.3-37.fc30.noarch Hi Doug, You're saying that sa-update succeed, so where you see bug? Thanks, Lukas. (In reply to Lukas Vrabec from comment #9) > Hi Doug, > > You're saying that sa-update succeed, so where you see bug? > > Thanks, > Lukas. meh. The ~800 log entries complaining about the failed transitions are from the backup mail server, which did *not* get the update. Just curious, how long will the fix be stuck in updates-testing v. just updates. Will update this bug status tomorrow, the cronjob ran between when I saw this and pulled from updates-testing on that system. When retrying it didn't actually run sa-update as it had just run. Or maybe it did, but it sure completed very quickly. # rpm -q selinux-policy selinux-policy-3.14.3-38.fc30.noarch Will know for sure in 24 hours. (In reply to Doug Maxey from comment #10) > (In reply to Lukas Vrabec from comment #9) > > Hi Doug, > > > > You're saying that sa-update succeed, so where you see bug? > > > > Thanks, > > Lukas. > > meh. The ~800 log entries complaining about the failed transitions are from > the backup mail server, which did *not* get the update. > > Just curious, how long will the fix be stuck in updates-testing v. just > updates. > > Will update this bug status tomorrow, the cronjob ran between when I saw > this and pulled from updates-testing on that system. When retrying it didn't > actually run sa-update as it had just run. Or maybe it did, but it sure > completed very quickly. > > # rpm -q selinux-policy > selinux-policy-3.14.3-38.fc30.noarch > > Will know for sure in 24 hours. ok, it was the un-updated version on the alternate server that was complaining. Once updated, sa-update has no error messages. FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472 selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472 selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1574551 [details] extracted AVCs Description of problem: Install and operation of spamassassin creates a systemd job, via /usr/lib/systemd/system/sa-update.service When that service runs, it calls pgrep, which then generates 100's of AVC on access to the /proc fs. Version-Release number of selected component (if applicable): spamassassin-3.4.2-4.fc30.x86_64 How reproducible: 100% Steps to Reproduce: 1. install and start spamassassin 2. 3. Actual results: Expected results: Additional info: typical AVC: type=AVC msg=audit(1558501200.531:945): avc: denied { getattr } for pid=19301 comm="pgrep" path="/proc/2" dev="proc" ino=12870 scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0