SpamAssassin Log explosion issue following update
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 23 13:10:09 UTC 2007
On Fri, 2007-02-23 at 09:16 +0000, Ted Rule wrote:
> I've had another dig through the remnants of logs following yesterday's
> log explosion. Fortunately, I hadn't completely eliminated the log
> history of the crash.
>
> It seems that Dan is quite right in saying that the RPM Upgrade didn't
> cause the issue. The logs show that it all started when I amended my
> localanacron policy some 2 minutes before the log explosion started.
>
> I see these two entries:
>
> ...
> Feb 22 11:19:10 topaz kernel: security: invalidating context
> staff_u:sysadm_r:initrc_t:s0
> Feb 22 11:19:10 topaz kernel: security: invalidating context
> staff_u:system_r:spamd_t:s0
This means that at an earlier point in time, while permissive, the
system executed an init script and spamd and performed automatic domain
transitions even though the resulting contexts weren't legal under
policy (allowed when permissive) due to invalid combinations of
role/type or user/role (e.g. initrc_t should be in system_r, not
sysadm_r, and likely staff_u isn't authorized for system_r?). Then
later you reloaded policy while enforcing, and the system invalidated
those contexts and remapped them to unlabeled.
run_init explicitly transitions to system_u:system_r:initrc_t for
running init scripts. The role transition can be done automatically via
policy (role_transition statements), but we don't presently have support
for automatic user transitions in policy.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list