SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk
Daniel J Walsh
dwalsh at redhat.com
Fri Mar 5 15:13:10 UTC 2010
Yes I think labeling the bin directory in your homedir as bin_t will
allow almost all confined applications on your system to execute them.
The problem with SELinux is people think first of adding allow rules
rather then fixing the labeling.
In this case you want to treat files in your homedir as binraries that
system processes can execute, so you can need to label them bin_t. If
you set up ~/bin to be labeled bin_t, all files copied to that directory
or created in that directory will be labeled bin_t. If you mv a file to
this directory you might have to run restorecon on it. restorecon -R -v
~/bin
procmail_t can currently write to your home dir, so this should not be a
problem.
You can set the labeling of ~/bin to bin_t using the method Paul Howarth
suggested or just use the semanage command
# semanage fcontext -a -t bin_t '/home/rnichols/bin(/.*)?'
# restorecon -R -v /home/rnichols/bin
If you do not want to change the labeling at all you can use the
audit2allow method you first described
# grep procmail_t /var/log/audit/audit.log | audit2allow -M myprocmail
# semodule -i myprocmail.pp
Which would then allow procmail_t to execute user_home_t.
This rules says procmail_t can execute almost any file in your homedir,
since this is the default label for the homedir. You should not have to
add more rules to handle this problem.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
This docment explains the four things SELinux is trying to tell you.
More information about the selinux
mailing list