SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

[Stephen Smalley]

On Fri, 2010-03-05 at 15:04 +0100, Dominick Grift wrote:
> On 03/05/2010 02:53 PM, Stephen Smalley wrote:
> > On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote:
> >> On 03/05/2010 04:29 AM, Robert Nichols wrote:
> >>> And, it appears that I have to remember to re-install all local policy
> >>> modules every time there is a policy update, right??  :-((
> >>
> >> Not in all cases but in the case where user domains are involved that
> >> may be true. semodule -B may also do the trick.
> > 
> > What's an example where that is required, and why?
> > 
> 
> Well i dont remember exactly but i use to have a custom user domain, and
> when fedora's selinux-policy had an update that affected interfaces in
> the userdomain, that my custom user domain calls. Then this change would
> not reflect in my custom user domain.
> 
> I had to reinstall my custom user domain after fedora selinux policy
> updates that made relevant changes to the userdomain.
> 
> I think the explanation was that its works like static libraries and not
> like dynamic libraries.

Ah, yes - refpolicy interfaces are merely m4 macros presently and thus
are expanded at module compilation time.  So if your module uses a
refpolicy interface and the internals of that interface definition
change and you want to pick up those changes, you might have to
recompile your module (merely re-inserting the already compiled one or
merely running semodule -B won't help).  But I don't think that is
commonly needed for local modules, particularly ones that are
audit2allow-generated.

> Unfortunately my memory might be wrong. Also i cannot find the
> particular discussion i had with dwalsh about the issue on the mail
> lists on short notice.
> 
> Also i do not know whether this is even related to this issue.

-- 
Stephen Smalley
National Security Agency