Hello Ritesh, The messages are not particularly useful, until the files have been given proper labels and such basic stuff.
> type=AVC msg=audit(1202138504.205:41): avc: denied { read } for pid=9413 > comm="leafnode" name="news" dev=dm-2 ino=4199432 > scontext=system_u:system_r:tcpd_t:s0 > tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Notice the source context, tcpd_t. You don't want leafnode to run as "tcp wrapper". You want it to have it's own domain. Which applications get which domains, and which executables trigger a domain change cannot be automatically guessed by audit2why. Audit2why is only useful once the other stuff is in place. And assigning appropriate domains to files etc. requires *previous knowledge* of the application, and I don't use leafnode. I can guess you'll probably want /var/spool/news (or whatever it's using!) to have a context like news_spool_t or so (have a look at the INN policy, what it is using!), and you might want to make the leafnode binary an entry point into the leafnode_t domain, at least when executed by tcpd_t. But there is no way I'm ever going to produce you a somewhat useful policy just by that couple of log messages. As stated above, you need to know the application to be able to tell what types of files it uses that might require similar or different access policy and so on. This can only done by users of that particular application. (Apart from myself not using SELinux these days, since I'm way too busy with other stuff such as writing my thesis. I'm no longer responsible for the servers I used SELinux on earlier.) Have a look at the SELinux documentation. Especially on some tutorials posted in RJCs blog and in my blog. They're not particularly hard to find. best regards, Erich Schubert -- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ A man doesn't know what he knows until he knows what he doesn't know. //\ Ohne Tränen hat die Seele keinen Regenbogen. V_/_