On 7 December 2010 00:29, Lamar Owen <[email protected]> wrote: > We > need a better configuration and troubleshooting interface so that the > protections don't get in the way of the user, which is > what happens now typically with SELinux, to where people say 'the fix was to > put SELinux in permissive mode' which is > patently wrong; workaround, yes, but that's not a fix.
In my experience, the fix is to move the audit logs to one side, switch to permissive mode, then try again. If that's fixed the issue then contacting the Fedora/Red Hat SELinux team through bugzilla (selinux-policy component) with the denials from the audit log generally results in a very fast fix (it'd be even faster for those of you in the US). Too many people just go "oh selinux - disable" as soon as they hit a problem, unfortunately this is also true of a number of Fedora's testers. The sealert/setroubleshoot daemons have made this process a lot simpler for end users, and even suggests which booleans and contexts may need changing. in the early days of Fedora when SELinux first arrived, things broke, and often. These days it's much better. If people start reporting problems with the policy I doubt it would take long before we had something that rarely ever broke, with programs gaining new functionality (and thus needing extra allow rules) being the general cause. Mark _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
