Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1831559

Summary: sa-update is not allowed to restart spamassassin
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-05 20:38:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2020-05-05 09:30:40 UTC 
(This is a followup to bug 1711799 which got mostly solved, but had some residue.  Since that bug has become a bit messy, I'm creating this separate report for the remainder.)

Description of problem:
The sa-update cron job wants to condrestart the spamassassin service after having downloaded updated information.  It isn't allowed to do that.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.5-32.fc32.noarch


Steps to Reproduce:
1. Enable spamassassin and sa-update


Actual results:
The spamd daemon is not restarted, and those AVC:s show up in the log:

time->Tue May  5 00:36:12 2020
type=USER_AVC msg=audit(1588631772.884:584901): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/spamassassin.service" cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Tue May  5 00:36:12 2020
type=USER_AVC msg=audit(1588631772.890:584902): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="" scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


Expected results:
The spamd server should have been restarted.


Additional info:

The following additional module seems to fix the problem.

module sa-updatefix 1.12;

require {
	type init_t;
        type spamd_update_t;
	type systemd_unit_file_t;
	all_kernel_class_perms
}

allow spamd_update_t init_t:system status;
allow spamd_update_t systemd_unit_file_t:service { start };
Comment 1 Zdenek Pytela 2020-05-05 12:21:02 UTC 
Hi,

Thank you for reporting the issue. We need to confine /usr/lib/systemd/system/spamassassin.service which will need a few more changes in other modules.
Comment 2 Milos Malik 2020-11-04 08:35:23 UTC 
I believe this bug is a duplicate of BZ#1819017.
Comment 4 Göran Uddeborg 2020-11-05 20:38:25 UTC 
Except that bug is for Fedora 31, it does indeed seem to be a duplicate.

*** This bug has been marked as a duplicate of bug 1819017 ***