Turn on auditd so the SELinux AVC messages go to /var/log/audit/audit.log. Then to see what the SELinux messages mean, run:
audit2why < /var/log/audit/audit.log To create a local policy to allow whatever is being denied: audit2allow < /var/log/audit/audit.log (There is another step to turn that into an actual module which you can then use semodule -i to insert, but you should review what is in there before deciding to blindly allow everything.) On Thu, Apr 03, 2014 at 07:12:53AM -0400, Jerry Feldman wrote: > I used to set it to permissive also, but I didn't like many of the messages. > > On 04/02/2014 11:37 PM, John Malloy wrote: > > > > That's a good idea! > > > > > > > > On Wed, Apr 2, 2014 at 11:21 PM, Peter (peabo) Olson <pe...@peabo.com > > <mailto:pe...@peabo.com>> wrote: > > > > On April 2, 2014 at 2:28 PM Jerry Feldman <g...@blu.org > > <mailto:g...@blu.org>> wrote: > > > One issue is that sometimes, companies make this a requirement, > > and the > > > IT people who do the real work just have to follow the rules. > > > Whenever I set up a new system I always to to /etc/selinux and > > change > > > config to SELINUX=disabled > > > I recently change SELINUXTYPE to disabled, and screwed up > > everything to > > > where I could not even log in. That is what rescue systems are for. > > > > I usually change it to 'permissive', which keeps things running > > while you get a > > chance to review the logs to see what SELinux would like to do to you. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss