SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk
Daniel J Walsh
dwalsh at redhat.com
Fri Mar 5 13:48:19 UTC 2010
On 03/04/2010 10:25 PM, Robert Nichols wrote:
> This occurs as the result of a procmail rule. Hopefully, the result
> from audit2allow is the right thing here:
>
> allow procmail_t user_home_t:file execute_no_trans;
>
> Am I going to have to jump through SELinux hoops every time I want to use
> a bit of my own code??? Right now I'm spending far more time fighting
> with SELinux than I would _ever_ have to spend cleaning up from an
> unlikely breakin. With little hope of ever getting to enforcing mode,
> perhaps it would be best just to disable entirely.
>
> Summary:
>
> SELinux is preventing /bin/gawk "execute" access on
> /var/home/rnichols/mail/spamstrings.sh.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux denied access requested by spamstrings.sh. It is not expected that this
> access is required by spamstrings.sh and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_r:procmail_t:s0
> Target Context unconfined_u:object_r:user_home_t:s0
> Target Objects /var/home/rnichols/mail/spamstrings.sh [ file ]
> Source spamstrings.sh
> Source Path /bin/gawk
> Port<Unknown>
> Host omega-3x.local
> Source RPM Packages gawk-3.1.7-1.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-89.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name omega-3x.local
> Platform Linux omega-3x.local
> 2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19
> 18:55:03 UTC 2010 x86_64 x86_64
> Alert Count 2
> First Seen Thu 04 Mar 2010 08:49:24 PM CST
> Last Seen Thu 04 Mar 2010 08:49:24 PM CST
> Local ID d067376f-66e5-49b7-8fa7-e22aa5388dae
> Line Numbers
>
> Raw Audit Messages
>
> node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
> execute } for pid=19477 comm="procmail" name="spamstrings.sh" dev=sda6
> ino=351952 scontext=system_u:system_r:procmail_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
> execute_no_trans } for pid=19477 comm="procmail"
> path="/home/rnichols/mail/spamstrings.sh" dev=sda6 ino=351952
> scontext=system_u:system_r:procmail_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>
> node=omega-3x.local type=SYSCALL msg=audit(1267757364.768:30045): arch=c000003e
> syscall=59 success=yes exit=0 a0=95e320 a1=95fa40 a2=95fee0 a3=8 items=0
> ppid=19476 pid=19477 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="spamstrings.sh"
> exe="/bin/gawk" subj=system_u:system_r:procmail_t:s0 key=(null)
>
>
>
>
>
Simplest fix would be to change the context to bin_t
chcon -t bin_t /home/rnichols/mail/spamstrings.sh
Will make this work. Is this a normal behavour to have procmail
executing content in the homedir?
More information about the selinux
mailing list