SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk
Paul Howarth
paul at city-fan.org
Tue Mar 9 14:59:49 UTC 2010
On 05/03/10 14:16, Stephen Smalley wrote:
> On Fri, 2010-03-05 at 15:04 +0100, Dominick Grift wrote:
>> On 03/05/2010 02:53 PM, Stephen Smalley wrote:
>>> On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote:
>>>> On 03/05/2010 04:29 AM, Robert Nichols wrote:
>>>>> And, it appears that I have to remember to re-install all local policy
>>>>> modules every time there is a policy update, right?? :-((
>>>>
>>>> Not in all cases but in the case where user domains are involved that
>>>> may be true. semodule -B may also do the trick.
>>>
>>> What's an example where that is required, and why?
>>>
>>
>> Well i dont remember exactly but i use to have a custom user domain, and
>> when fedora's selinux-policy had an update that affected interfaces in
>> the userdomain, that my custom user domain calls. Then this change would
>> not reflect in my custom user domain.
>>
>> I had to reinstall my custom user domain after fedora selinux policy
>> updates that made relevant changes to the userdomain.
>>
>> I think the explanation was that its works like static libraries and not
>> like dynamic libraries.
>
> Ah, yes - refpolicy interfaces are merely m4 macros presently and thus
> are expanded at module compilation time. So if your module uses a
> refpolicy interface and the internals of that interface definition
> change and you want to pick up those changes, you might have to
> recompile your module (merely re-inserting the already compiled one or
> merely running semodule -B won't help). But I don't think that is
> commonly needed for local modules, particularly ones that are
> audit2allow-generated.
I had an issue with this last week, where the update from -89 to -92 on
Fedora 12 appeared to remove the "etcfile" attribute, an "ABI change"
that broke at least two of my local modules despite there being no "API
change" (a recompile of the modules worked without problems).
These were hand-written modules as it happens but the problem could as
easily come up for people using "audit2allow -R", which is what I
usually do.
The full details are a bit long-winded to post here but I documented my
experience in the hope it would prove useful to someone:
http://www.city-fan.org/tips/PaulHowarth/Blog/2010-03-04
Cheers, Paul.
More information about the selinux
mailing list