On 03/05/2010 02:55 PM, Robert Nichols wrote: > On 03/05/2010 03:09 AM, Dominick Grift wrote: >> On 03/05/2010 04:29 AM, Robert Nichols wrote: >>> And, it appears that I have to remember to re-install all local policy >>> modules every time there is a policy update, right?? :-(( >> >> Not in all cases but in the case where user domains are involved that >> may be true. semodule -B may also do the trick. >> >> It may be a better idea to label /var/home/rnichols/mail/spamstrings.sh >> type bin_t >> >> semanage fcontext -a -t bin_t /var/home/rnichols/mail/spamstrings.sh >> restorecon -R -v /var/home/rnichols/mail/spamstrings.sh > > So, if I move that file to my $HOME/bin directory and make that whole > directory type bin_t, that should take care of it?? > Unconfined users (like you) are able to execute any files. Confined services are not allowed to execute user home content (generic files in your home directory). However many confined services can run files in /bin or /usr/bin that are labelled with the generic type (bin_t) for that location. You can either copy the spamstring.sh file to /usr/bin or label it type bin_t in your home directory. If the confined service even has sufficient permissions to get to the file, then it should be allowed to run it there. If you have executable files that should be run by confined services, then you could label them bin_t. But remember that this only works if the confined service can get to the file. You do not have to label executable files bin_t if you (the unconfined user) need to run it. i hope this helps.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
