SpamAssassin Log explosion issue following update

Ted Rule ejtr at layer3.co.uk
Fri Feb 23 09:16:55 UTC 2007 

I've had another dig through the remnants of logs following yesterday's
log explosion. Fortunately, I hadn't completely eliminated the log
history of the crash.

It seems that Dan is quite right in saying that the RPM Upgrade didn't
cause the issue. The logs show that it all started when I amended my
localanacron policy some 2 minutes before the log explosion started.

I see these two entries:

...
Feb 22 11:19:10 topaz kernel: security:  invalidating context
staff_u:sysadm_r:initrc_t:s0
Feb 22 11:19:10 topaz kernel: security:  invalidating context
staff_u:system_r:spamd_t:s0
...

All I had done was to add these lines to localanacron.te, (part of
debugging another issue arising out of running anacron instead of
crond), increment the module version number, run "make localanacron.pp"
and then "semodule -u localanacron.pp":

...

        # Odd setfscreate message when using Anacron but apparently not
when using Crond
        #Feb 21 08:47:59 topaz kernel: audit(1172047679.147:93): avc:
denied  { setfscreate } for  pid=5340 comm="cp"
scontext=system_u:system_r:system_crond_t:s0
tcontext=system_u:system_r:system_crond_t:s0 tclass=process
        allow system_crond_t self:process setfscreate;
        # Attempt to debug the problem
        auditallow { crond_t system_crond_t } self:process setfscreate;
...


Just for luck, I checked that the devel environment has the same version
number as the overall policy:

[root at topaz selinux.local]# rpm -q selinux-policy-strict
selinux-policy-strict-2.4.6-37.fc6
[root at topaz selinux.local]# rpm -qf /usr/share/selinux/devel/Makefile 
selinux-policy-devel-2.4.6-37.fc6
[root at topaz selinux.local]# 

Presumably, there's something amiss with the way I'm adding local
patches to the policy which is causing SELinux to invalidate contexts
during a local module upgrade.

None of my patches directly overwrite any of the default .pp modules; I
try to use localxxxxxx.pp to tweak xxxxxx.pp policy.

Some of my modules do admittedly add types, as well as refining
file-labelling and overall policy. Is perhaps the problem related to the
way RPM update to policy itself is performed?

Maybe I should be following this general method instead of a plain yum
update??

# semodule -r localxxxxxx.pp
# yum update selinux-policy-strict
# semodule -i localxxxxxx.pp



....
Feb 22 11:15:43 topaz kernel: audit(1172142943.430:470): avc:  denied
{ write } for  pid=14039 comm="su" name="root" dev=hda2 ino=2
58817 scontext=staff_u:sysadm_r:sysadm_su_t:s0
tcontext=root:object_r:sysadm_home_dir_t:s0 tclass=dir
Feb 22 11:18:31 topaz syslog-ng[2517]: STATS: dropped 0
Feb 22 11:19:10 topaz kernel: security:  5 users, 5 roles, 2081 types,
87 bools, 1 sens, 1024 cats
Feb 22 11:19:10 topaz kernel: security:  59 classes, 158274 rules
Feb 22 11:19:10 topaz kernel: security:  invalidating context
staff_u:sysadm_r:initrc_t:s0
Feb 22 11:19:10 topaz kernel: security:  invalidating context
staff_u:system_r:spamd_t:s0
Feb 22 11:19:10 topaz dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=2) : exe="?" (sauid=81, hos
tname=?, addr=?, terminal=?)
Feb 22 11:19:10 topaz dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=2) : exe="/bin/dbus-daemon"
 (sauid=500, hostname=?, addr=?, terminal=?)
Feb 22 11:19:10 topaz kernel: audit(1172143150.903:471): policy loaded
auid=4294967295
Feb 22 11:21:19 topaz kernel: 29 comm="spamd" name="/" dev=hda2 ino=2
scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:ob
ject_r:root_t:s0 tclass=dir
Feb 22 11:21:19 topaz kernel: audit(1172143279.378:42740): avc:  denied
{ search } for  pid=10329 comm="spamd" name="/" dev=hda2 in
o=2 scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
Feb 22 11:21:19 topaz kernel: audit(1172143279.378:42741): avc:  denied
{ search } for  pid=10329 comm="spamd" name="/" dev=hda2 in
o=2 scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
Feb 22 11:21:19 topaz kernel: audit(1172143279.378:42742): avc:  denied
{ search } for  pid=10329 comm="spamd" name="/" dev=hda2 in
o=2 scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
...


[root at topaz ~]# ls -lrt selinux.local/*.pp
-rw-r--r-- 1 root root  22394 Jan 17 19:52 selinux.local/localsysadm.pp
-rw-r--r-- 1 root root  21743 Jan 26 17:21 selinux.local/localsudo.pp
-rw-r--r-- 1 root root  24145 Feb  1 14:18 selinux.local/localjava.pp
-rw-r--r-- 1 root root 370766 Feb  7 17:17 selinux.local/myevolution.pp
-rw-r--r-- 1 root root  29649 Feb 17 18:25 selinux.local/localfirefox.pp
-rw-r--r-- 1 root root  36556 Feb 17 18:25
selinux.local/localevolution.pp
-rw-r--r-- 1 root root  35652 Feb 19 10:11
selinux.local/localmiscpolicy.pp
-rw-r--r-- 1 root root  36000 Feb 22 11:18 selinux.local/localanacron.pp
[root at topaz ~]# 



-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/

More information about the fedora-selinux-list mailing list