Re: SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes I think labeling the bin directory in your homedir as bin_t will 
allow almost all confined applications on your system to execute them.

The problem with SELinux is people think first of adding allow rules 
rather then fixing the labeling.
In this case you want to treat files in your homedir as binraries that 
system processes can execute,  so you can need to label them bin_t.  If 
you set up ~/bin to be labeled bin_t, all files copied to that directory 
or created in that directory will be labeled bin_t.  If you mv a file to 
this directory you might have to run restorecon on it.  restorecon -R -v 
~/bin

procmail_t can currently write to your home dir, so this should not be a 
problem.

You can set the labeling of ~/bin to bin_t using the method Paul Howarth 
suggested or just use the semanage command


# semanage fcontext -a -t bin_t '/home/rnichols/bin(/.*)?'
# restorecon -R -v /home/rnichols/bin

If you do not want to change the labeling at all you can use the 
audit2allow method you first described
# grep procmail_t /var/log/audit/audit.log | audit2allow -M myprocmail
# semodule -i myprocmail.pp

Which would then allow procmail_t to execute user_home_t.

This rules says procmail_t can execute almost any file in your homedir, 
since this is the default label for the homedir.  You should not have to 
add more rules to handle this problem.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

This docment explains the four things SELinux is trying to tell you.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux