On Thu, Mar 04, 2010 at 09:29:14PM -0600, Robert Nichols wrote: > And, it appears that I have to remember to re-install all local policy > modules every time there is a policy update, right?? :-(( I don't have either of these problems, and I've been using procmail on (admittedly older) Fedora for years.

On 03/05/2010 08:38 AM, Robert Nichols wrote: > SELinux works well and unobtrusively if you use only the software that > comes with your distribution and don't go much beyond clicking on icons > in your use of it. My laptop falls into that category. I'm trying to > bring up a server right now, where SELinux would actually be useful, > but dealing with SELinux there is looking to be way beyond what I can > undertake. > That is because the user domain by default is for the most part exempt. Some system services are targeted, and managing this requires some knowledge/awareness about the matter. Its like Fedora default iptables/netfilter configuration. As long as you do not have any exotic services listening on the network or have any nat/routing requirements, things just work. Else you are required to have some knowledge about iptables or whatever you use to configure netfilter.

On 03/05/2010 04:29 AM, Robert Nichols wrote: > And, it appears that I have to remember to re-install all local policy > modules every time there is a policy update, right?? :-(( Not in all cases but in the case where user domains are involved that may be true. semodule -B may also do the trick.

On 03/05/2010 02:53 PM, Stephen Smalley wrote: > On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote: >> On 03/05/2010 04:29 AM, Robert Nichols wrote: >>> And, it appears that I have to remember to re-install all local policy >>> modules every time there is a policy update, right?? :-(( >> >> Not in all cases but in the case where user domains are involved that >> may be true. semodule -B may also do the trick. > > What's an example where that is required, and why? > Well i dont remember exactly but i use to have a custom user domain, and when fedora's selinux-policy had an update that affected interfaces in the userdomain, that my custom user domain calls. Then this change would not reflect in my custom user domain. I had to reinstall my custom user domain after fedora selinux policy updates that made relevant changes to the userdomain. I think the explanation was that its works like static libraries and not like dynamic libraries.

Unfortunately my memory might be wrong. Also i cannot find the particular discussion i had with dwalsh about the issue on the mail lists on short notice. Also i do not know whether this is even related to this issue.

On 03/05/2010 04:29 AM, Robert Nichols wrote: > And, it appears that I have to remember to re-install all local policy > modules every time there is a policy update, right?? :-(( Not in all cases but in the case where user domains are involved that may be true. semodule -B may also do the trick. It may be a better idea to label /var/home/rnichols/mail/spamstrings.sh type bin_t semanage fcontext -a -t bin_t /var/home/rnichols/mail/spamstrings.sh restorecon -R -v /var/home/rnichols/mail/spamstrings.sh

On 03/05/2010 03:09 AM, Dominick Grift wrote: > On 03/05/2010 04:29 AM, Robert Nichols wrote: >> And, it appears that I have to remember to re-install all local policy >> modules every time there is a policy update, right?? :-(( > > Not in all cases but in the case where user domains are involved that > may be true. semodule -B may also do the trick. > > It may be a better idea to label /var/home/rnichols/mail/spamstrings.sh > type bin_t > > semanage fcontext -a -t bin_t /var/home/rnichols/mail/spamstrings.sh > restorecon -R -v /var/home/rnichols/mail/spamstrings.sh So, if I move that file to my $HOME/bin directory and make that whole directory type bin_t, that should take care of it??

On Thu, 2010-03-04 at 21:29 -0600, Robert Nichols wrote: > And, it appears that I have to remember to re-install all local policy > modules every time there is a policy update, right?? :-(( No, that shouldn't be necessary - once you've installed a policy module, it stays in the policy store and should get re-linked into the final policy on subsequent transactions unless/until it gets explicitly removed (via semodule -r). Have you encountered a particular situation where this hasn't been true?

On 03/04/2010 10:25 PM, Robert Nichols wrote: > This occurs as the result of a procmail rule. Hopefully, the result > from audit2allow is the right thing here: > > allow procmail_t user_home_t:file execute_no_trans; > > Am I going to have to jump through SELinux hoops every time I want to use > a bit of my own code??? Right now I'm spending far more time fighting > with SELinux than I would _ever_ have to spend cleaning up from an > unlikely breakin. With little hope of ever getting to enforcing mode, > perhaps it would be best just to disable entirely. > > Summary: > > SELinux is preventing /bin/gawk "execute" access on > /var/home/rnichols/mail/spamstrings.sh. > > Detailed Description: > > [SELinux is in permissive mode. This access was not denied.] > > SELinux denied access requested by spamstrings.sh. It is not expected that this > access is required by spamstrings.sh and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug > report. > > Additional Information: > > Source Context system_u:system_r:procmail_t:s0 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /var/home/rnichols/mail/spamstrings.sh [ file ] > Source spamstrings.sh > Source Path /bin/gawk > Port<Unknown> > Host omega-3x.local > Source RPM Packages gawk-3.1.7-1.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.32-89.fc12 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Permissive > Plugin Name catchall > Host Name omega-3x.local > Platform Linux omega-3x.local > 2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19 > 18:55:03 UTC 2010 x86_64 x86_64 > Alert Count 2 > First Seen Thu 04 Mar 2010 08:49:24 PM CST > Last Seen Thu 04 Mar 2010 08:49:24 PM CST > Local ID d067376f-66e5-49b7-8fa7-e22aa5388dae > Line Numbers > > Raw Audit Messages > > node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied { > execute } for pid=19477 comm="procmail" name="spamstrings.sh" dev=sda6 > ino=351952 scontext=system_u:system_r:procmail_t:s0 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied { > execute_no_trans } for pid=19477 comm="procmail" > path="/home/rnichols/mail/spamstrings.sh" dev=sda6 ino=351952 > scontext=system_u:system_r:procmail_t:s0 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > node=omega-3x.local type=SYSCALL msg=audit(1267757364.768:30045): arch=c000003e > syscall=59 success=yes exit=0 a0=95e320 a1=95fa40 a2=95fee0 a3=8 items=0 > ppid=19476 pid=19477 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="spamstrings.sh" > exe="/bin/gawk" subj=system_u:system_r:procmail_t:s0 key=(null) > > > > > Simplest fix would be to change the context to bin_t chcon -t bin_t /home/rnichols/mail/spamstrings.sh Will make this work. Is this a normal behavour to have procmail executing content in the homedir?

Yes I think labeling the bin directory in your homedir as bin_t will allow almost all confined applications on your system to execute them. The problem with SELinux is people think first of adding allow rules rather then fixing the labeling.