On Tue, Apr 7, 2020 at 1:54 PM Laurent Jacquot <
jk@xxxxxxxxx> wrote:
Hello,
Every days I have these AVC in my logs (F31 fully updated)
Apr 7 00:00:00 jack audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=sa-update comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
Apr 7 00:15:19 jack audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
start } for auid=n/a uid=0 gid=0
path="/usr/lib/systemd/system/spamassassin.service" cmdline=""
scontext=system_u:system_r:spamd_update_t:s0
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
permissive=0#012 exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
Apr 7 00:15:19 jack audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
status } for auid=n/a uid=0 gid=0 cmdline=""
scontext=system_u:system_r:spamd_update_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0#012
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Apr 7 00:15:19 jack audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sa-update
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
and in /var/log/sa-update.log
07-avril-2020 00:15:19: SpamAssassin: Update processed successfully
I try to understand what is going on: the sa-update service is started
OK, but 15 seconds later, the same? service is denied start and status,
and finally is stopped with success.
At 00:00, sa-update service is started off a timer service. It waits a random time (this time 15 minutes, not seconds) and executes
systemctl condrestart spamassassin.service
which is denied as spamd_update_d is only allowed to manage antivirus unit type:
# sesearch -A -s spamd_update_t -c service
allow spamd_update_t antivirus_unit_file_t:service { disable enable reload start status stop };
I would be grateful to get any hints on how to debug this issue and
stop the AVCs.
To debug further and see more details, these commands may appear to be useful provided you have the auditd service running:
1. Open the /etc/audit/rules.d/audit.rules file.
2. Remove or comment-out the following line if it exists:
-a task,never
3. Add the following line at the end of the file:
-w /etc/shadow -p w -k shadow-write
4. Restart the audit daemon:
# service auditd restart
5. Verify the current audit rules (no rule for not auditing, a watch rule):
# auditctl -l
6. Wait for the nightly job to process.
7. Collect the denials:
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > /tmp/ausearch.out
These changes will persist boot.
To resolve, a change is required in the selinux-policy package, or a custom policy can be created as a workaround.