FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-05-2010, 02:25 AM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

This occurs as the result of a procmail rule. Hopefully, the result
from audit2allow is the right thing here:

allow procmail_t user_home_t:file execute_no_trans;

Am I going to have to jump through SELinux hoops every time I want to use
a bit of my own code??? Right now I'm spending far more time fighting
with SELinux than I would _ever_ have to spend cleaning up from an
unlikely breakin. With little hope of ever getting to enforcing mode,
perhaps it would be best just to disable entirely.

Summary:

SELinux is preventing /bin/gawk "execute" access on
/var/home/rnichols/mail/spamstrings.sh.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by spamstrings.sh. It is not expected that this
access is required by spamstrings.sh and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context system_u:system_rrocmail_t:s0
Target Context unconfined_ubject_r:user_home_t:s0
Target Objects /var/home/rnichols/mail/spamstrings.sh [ file ]
Source spamstrings.sh
Source Path /bin/gawk
Port <Unknown>
Host omega-3x.local
Source RPM Packages gawk-3.1.7-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-89.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name catchall
Host Name omega-3x.local
Platform Linux omega-3x.local
2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19
18:55:03 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Thu 04 Mar 2010 08:49:24 PM CST
Last Seen Thu 04 Mar 2010 08:49:24 PM CST
Local ID d067376f-66e5-49b7-8fa7-e22aa5388dae
Line Numbers

Raw Audit Messages

node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
execute } for pid=19477 comm="procmail" name="spamstrings.sh" dev=sda6
ino=351952 scontext=system_u:system_rrocmail_t:s0
tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file

node=omega-3x.local type=AVC msg=audit(1267757364.768:30045): avc: denied {
execute_no_trans } for pid=19477 comm="procmail"
path="/home/rnichols/mail/spamstrings.sh" dev=sda6 ino=351952
scontext=system_u:system_rrocmail_t:s0
tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file

node=omega-3x.local type=SYSCALL msg=audit(1267757364.768:30045): arch=c000003e
syscall=59 success=yes exit=0 a0=95e320 a1=95fa40 a2=95fee0 a3=8 items=0
ppid=19476 pid=19477 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="spamstrings.sh"
exe="/bin/gawk" subj=system_u:system_rrocmail_t:s0 key=(null)




--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 02:29 AM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

And, it appears that I have to remember to re-install all local policy
modules every time there is a policy update, right?? :-((

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 04:52 AM
Chuck Anderson
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On Thu, Mar 04, 2010 at 09:29:14PM -0600, Robert Nichols wrote:
> And, it appears that I have to remember to re-install all local policy
> modules every time there is a policy update, right?? :-((

I don't have either of these problems, and I've been using procmail on
(admittedly older) Fedora for years.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 08:09 AM
Dominick Grift
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 04:29 AM, Robert Nichols wrote:
> And, it appears that I have to remember to re-install all local policy
> modules every time there is a policy update, right?? :-((

Not in all cases but in the case where user domains are involved that
may be true. semodule -B may also do the trick.

It may be a better idea to label /var/home/rnichols/mail/spamstrings.sh
type bin_t

semanage fcontext -a -t bin_t /var/home/rnichols/mail/spamstrings.sh
restorecon -R -v /var/home/rnichols/mail/spamstrings.sh

>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 12:44 PM
Stephen Smalley
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On Thu, 2010-03-04 at 21:29 -0600, Robert Nichols wrote:
> And, it appears that I have to remember to re-install all local policy
> modules every time there is a policy update, right?? :-((

No, that shouldn't be necessary - once you've installed a policy module,
it stays in the policy store and should get re-linked into the final
policy on subsequent transactions unless/until it gets explicitly
removed (via semodule -r). Have you encountered a particular situation
where this hasn't been true?

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 12:53 PM
Stephen Smalley
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote:
> On 03/05/2010 04:29 AM, Robert Nichols wrote:
> > And, it appears that I have to remember to re-install all local policy
> > modules every time there is a policy update, right?? :-((
>
> Not in all cases but in the case where user domains are involved that
> may be true. semodule -B may also do the trick.

What's an example where that is required, and why?

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 12:55 PM
Robert Nichols
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 03:09 AM, Dominick Grift wrote:
> On 03/05/2010 04:29 AM, Robert Nichols wrote:
>> And, it appears that I have to remember to re-install all local policy
>> modules every time there is a policy update, right?? :-((
>
> Not in all cases but in the case where user domains are involved that
> may be true. semodule -B may also do the trick.
>
> It may be a better idea to label /var/home/rnichols/mail/spamstrings.sh
> type bin_t
>
> semanage fcontext -a -t bin_t /var/home/rnichols/mail/spamstrings.sh
> restorecon -R -v /var/home/rnichols/mail/spamstrings.sh

So, if I move that file to my $HOME/bin directory and make that whole
directory type bin_t, that should take care of it??

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 01:04 PM
Dominick Grift
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 02:53 PM, Stephen Smalley wrote:
> On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote:
>> On 03/05/2010 04:29 AM, Robert Nichols wrote:
>>> And, it appears that I have to remember to re-install all local policy
>>> modules every time there is a policy update, right?? :-((
>>
>> Not in all cases but in the case where user domains are involved that
>> may be true. semodule -B may also do the trick.
>
> What's an example where that is required, and why?
>

Well i dont remember exactly but i use to have a custom user domain, and
when fedora's selinux-policy had an update that affected interfaces in
the userdomain, that my custom user domain calls. Then this change would
not reflect in my custom user domain.

I had to reinstall my custom user domain after fedora selinux policy
updates that made relevant changes to the userdomain.

I think the explanation was that its works like static libraries and not
like dynamic libraries.

Unfortunately my memory might be wrong. Also i cannot find the
particular discussion i had with dwalsh about the issue on the mail
lists on short notice.

Also i do not know whether this is even related to this issue.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 01:15 PM
Dominick Grift
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On 03/05/2010 02:55 PM, Robert Nichols wrote:
> On 03/05/2010 03:09 AM, Dominick Grift wrote:
>> On 03/05/2010 04:29 AM, Robert Nichols wrote:
>>> And, it appears that I have to remember to re-install all local policy
>>> modules every time there is a policy update, right?? :-((
>>
>> Not in all cases but in the case where user domains are involved that
>> may be true. semodule -B may also do the trick.
>>
>> It may be a better idea to label /var/home/rnichols/mail/spamstrings.sh
>> type bin_t
>>
>> semanage fcontext -a -t bin_t /var/home/rnichols/mail/spamstrings.sh
>> restorecon -R -v /var/home/rnichols/mail/spamstrings.sh
>
> So, if I move that file to my $HOME/bin directory and make that whole
> directory type bin_t, that should take care of it??
>

Unconfined users (like you) are able to execute any files. Confined
services are not allowed to execute user home content (generic files in
your home directory).

However many confined services can run files in /bin or /usr/bin that
are labelled with the generic type (bin_t) for that location.

You can either copy the spamstring.sh file to /usr/bin or label it type
bin_t in your home directory. If the confined service even has
sufficient permissions to get to the file, then it should be allowed to
run it there.

If you have executable files that should be run by confined services,
then you could label them bin_t. But remember that this only works if
the confined service can get to the file.

You do not have to label executable files bin_t if you (the unconfined
user) need to run it.

i hope this helps.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 01:16 PM
Stephen Smalley
 
Default SELinux is preventing /bin/gawk "execute" access on /var/home/rnichols/mail/spamstrings.awk

On Fri, 2010-03-05 at 15:04 +0100, Dominick Grift wrote:
> On 03/05/2010 02:53 PM, Stephen Smalley wrote:
> > On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote:
> >> On 03/05/2010 04:29 AM, Robert Nichols wrote:
> >>> And, it appears that I have to remember to re-install all local policy
> >>> modules every time there is a policy update, right?? :-((
> >>
> >> Not in all cases but in the case where user domains are involved that
> >> may be true. semodule -B may also do the trick.
> >
> > What's an example where that is required, and why?
> >
>
> Well i dont remember exactly but i use to have a custom user domain, and
> when fedora's selinux-policy had an update that affected interfaces in
> the userdomain, that my custom user domain calls. Then this change would
> not reflect in my custom user domain.
>
> I had to reinstall my custom user domain after fedora selinux policy
> updates that made relevant changes to the userdomain.
>
> I think the explanation was that its works like static libraries and not
> like dynamic libraries.

Ah, yes - refpolicy interfaces are merely m4 macros presently and thus
are expanded at module compilation time. So if your module uses a
refpolicy interface and the internals of that interface definition
change and you want to pick up those changes, you might have to
recompile your module (merely re-inserting the already compiled one or
merely running semodule -B won't help). But I don't think that is
commonly needed for local modules, particularly ones that are
audit2allow-generated.

> Unfortunately my memory might be wrong. Also i cannot find the
> particular discussion i had with dwalsh about the issue on the mail
> lists on short notice.
>
> Also i do not know whether this is even related to this issue.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 02:34 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org