Yes I think labeling the bin directory in your homedir as bin_t will allow almost all confined applications on your system to execute them. The problem with SELinux is people think first of adding allow rules rather then fixing the labeling. In this case you want to treat files in your homedir as binraries that system processes can execute, so you can need to label them bin_t. If you set up ~/bin to be labeled bin_t, all files copied to that directory or created in that directory will be labeled bin_t. If you mv a file to this directory you might have to run restorecon on it. restorecon -R -v ~/bin procmail_t can currently write to your home dir, so this should not be a problem. You can set the labeling of ~/bin to bin_t using the method Paul Howarth suggested or just use the semanage command # semanage fcontext -a -t bin_t '/home/rnichols/bin(/.*)?' # restorecon -R -v /home/rnichols/bin If you do not want to change the labeling at all you can use the audit2allow method you first described # grep procmail_t /var/log/audit/audit.log | audit2allow -M myprocmail # semodule -i myprocmail.pp Which would then allow procmail_t to execute user_home_t. This rules says procmail_t can execute almost any file in your homedir, since this is the default label for the homedir. You should not have to add more rules to handle this problem. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf This docment explains the four things SELinux is trying to tell you. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
