SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk
Robert Nichols
rnicholsNOSPAM at comcast.net
Fri Mar 5 07:38:20 UTC 2010
On 03/04/2010 11:52 PM, Chuck Anderson wrote:
> On Thu, Mar 04, 2010 at 09:29:14PM -0600, Robert Nichols wrote:
>> And, it appears that I have to remember to re-install all local policy
>> modules every time there is a policy update, right?? :-((
>
> I don't have either of these problems, and I've been using procmail on
> (admittedly older) Fedora for years.
I think I know what happened to make it appear that the local policy
module got dropped. A simple mistake on my part that just happened to
occur at the time an update got installed.
As for the execute permission problem, you probably aren't executing any
user-written scripts from within your home directory. In fact, I know
you're not -- SELinux won't allow that.
I'm once again finding SELinux to be absolutely hopeless, and I'm barely
getting started with the things I want this system to do. Right now I'm
trying to set up my mail processing. I do quite a bit of processing on
my personal incoming mail. Messages get classified (partly by that awk
filter that prompted this thread), and then processed in a variety of
ways. Files get decoded and stored where I want them. Processes get
started to evaluate incoming data based on information in a local
database. That sort of thing. SELinux wants to block all of that. The
only alternative I can see is to start a continuously running background
process that runs audit2allow on every AVC that shows up in the log and
let that continue for a few months, and I probably still won't dare go
into enforcing mode for fear that some rare but important event will
cause yet another denial and leave me with a mess to clean up.
SELinux works well and unobtrusively if you use only the software that
comes with your distribution and don't go much beyond clicking on icons
in your use of it. My laptop falls into that category. I'm trying to
bring up a server right now, where SELinux would actually be useful,
but dealing with SELinux there is looking to be way beyond what I can
undertake.
--
Bob Nichols RNichols42 at comcast.net
More information about the selinux
mailing list