FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-05-2010, 01:58 PM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 07:48 AM, Daniel J Walsh wrote:
> On 03/04/2010 10:25 PM, Robert Nichols wrote:
>> This occurs as the result of a procmail rule. Hopefully, the result
>> from audit2allow is the right thing here:
>>
>> allow procmail_t user_home_t:file execute_no_trans;
>>
>> Am I going to have to jump through SELinux hoops every time I want to use
>> a bit of my own code??? Right now I'm spending far more time fighting
>> with SELinux than I would _ever_ have to spend cleaning up from an
>> unlikely breakin. With little hope of ever getting to enforcing mode,
>> perhaps it would be best just to disable entirely.
>>
>> Summary:
>>
>> SELinux is preventing /bin/gawk "execute" access on
>> /var/home/rnichols/mail/spamstrings.sh.
>>
>> Detailed Description:
>>
>> [SELinux is in permissive mode. This access was not denied.]
>>
>> SELinux denied access requested by spamstrings.sh. It is not expected that this
>> access is required by spamstrings.sh and this access may signal an intrusion
>> attempt. It is also possible that the specific version or configuration of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
>> report.
>>
>> Additional Information:
>>
>> Source Context system_u:system_rrocmail_t:s0
>> Target Context unconfined_ubject_r:user_home_t:s0
>> Target Objects /var/home/rnichols/mail/spamstrings.sh [ file ]
>> Source spamstrings.sh
>> Source Path /bin/gawk
>> Port<Unknown>
>> Host omega-3x.local
>> Source RPM Packages gawk-3.1.7-1.fc12
>> Target RPM Packages
>> Policy RPM selinux-policy-3.6.32-89.fc12
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Permissive
>> Plugin Name catchall
>> Host Name omega-3x.local
>> Platform Linux omega-3x.local
>> 2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19
>> 18:55:03 UTC 2010 x86_64 x86_64
>> Alert Count 2
>> First Seen Thu 04 Mar 2010 08:49:24 PM CST
>> Last Seen Thu 04 Mar 2010 08:49:24 PM CST
>> Local ID d067376f-66e5-49b7-8fa7-e22aa5388dae
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
>> execute } for pid=19477 comm="procmail" name="spamstrings.sh" dev=sda6
>> ino=351952 scontext=system_u:system_rrocmail_t:s0
>> tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
>>
>> node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
>> execute_no_trans } for pid=19477 comm="procmail"
>> path="/home/rnichols/mail/spamstrings.sh" dev=sda6 ino=351952
>> scontext=system_u:system_rrocmail_t:s0
>> tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
>>
>> node=omega-3x.local type=SYSCALL msg=audit(1267757364.768:30045): arch=c000003e
>> syscall=59 success=yes exit=0 a0=95e320 a1=95fa40 a2=95fee0 a3=8 items=0
>> ppid=19476 pid=19477 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
>> egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="spamstrings.sh"
>> exe="/bin/gawk" subj=system_u:system_rrocmail_t:s0 key=(null)
>>
>>
>>
>>
>>
> Simplest fix would be to change the context to bin_t
>
> chcon -t bin_t /home/rnichols/mail/spamstrings.sh
>
>
> Will make this work. Is this a normal behavour to have procmail
> executing content in the homedir?

If the user's .procmailrc file asks for such execution, then yes, completely
normal.

I can see I have a huge administrative nightmare coming up if I want to keep
SELinux enabled. Where I have executables that are related only to specific
groups of files, I prefer to keep the executable content grouped with the
files rather than lumping all those executables in my $HOME/bin directory.
Some of those programs are going to be invoked by confined services. So,
I'm going to have multiple pigeonholes for which I need to set bin_t context
and have to keep track of that if stuff gets moved around. And most likely
all of that is going to break horribly when the next major upgrade (FC12 ->
FC13) comes along.

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 02:51 PM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 09:13 AM, Daniel J Walsh wrote:
> Yes I think labeling the bin directory in your homedir as bin_t will
> allow almost all confined applications on your system to execute them.
>
> The problem with SELinux is people think first of adding allow rules
> rather then fixing the labeling.

In defense of those just struggling to get by, that is generally what
setroubleshoot suggests. Plus, while the audit2allow route is fairly
obvious, it take a significantly deeper understanding of the base
policy to know which of the source or target types might wrong and
just what the proper labeling should be.

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 03:07 PM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 08:36 AM, Dominick Grift wrote:
> On 03/05/2010 08:38 AM, Robert Nichols wrote:
>> SELinux works well and unobtrusively if you use only the software that
>> comes with your distribution and don't go much beyond clicking on icons
>> in your use of it. My laptop falls into that category. I'm trying to
>> bring up a server right now, where SELinux would actually be useful,
>> but dealing with SELinux there is looking to be way beyond what I can
>> undertake.
>>
>
> That is because the user domain by default is for the most part exempt.
> Some system services are targeted, and managing this requires some
> knowledge/awareness about the matter.
>
> Its like Fedora default iptables/netfilter configuration. As long as you
> do not have any exotic services listening on the network or have any
> nat/routing requirements, things just work.
>
> Else you are required to have some knowledge about iptables or whatever
> you use to configure netfilter.

With iptables I am not faced with the task of understanding a huge and
complex base policy, let alone one that is constantly changing, plus
understanding a bunch of minimally documented commands before I can
set up my custom configuration.

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 03:12 PM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 07:44 AM, Stephen Smalley wrote:
> On Thu, 2010-03-04 at 21:29 -0600, Robert Nichols wrote:
>> And, it appears that I have to remember to re-install all local policy
>> modules every time there is a policy update, right?? :-((
>
> No, that shouldn't be necessary - once you've installed a policy module,
> it stays in the policy store and should get re-linked into the final
> policy on subsequent transactions unless/until it gets explicitly
> removed (via semodule -r). Have you encountered a particular situation
> where this hasn't been true?

False alarm. It was an error I made running audit2allow on 2 instances
of the same AVC rather than one each of 2 very similar AVCs. The policy
update that occurred at about that same time was a red herring.

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org