>I am really trying to not turn off SELinux with this server, and only have
>this one showstopper error. But I don't know what to do with this gibberish:
Here's an extract from a page I wrote about SELinux (not currently published,
or I could just send you the link).
--->8---
This is where it can get a bit hairy. I recommend creating /root/selinux as a
scratchpad to work in, and as a record of what changes have been made.
First, copy and paste lines from the log into a file called thing0.log where
thing is a mnemonic name for what you're trying to enable. In this example,
thing is smartd
root# cd; mkdir selinux; cd selinux
root# cat > smartd0.log
type=AVC msg=audit(1425551687.181:491): avc: denied { getattr } for
pid=20943 comm="smartd" path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1"
ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1425551687.181:492): avc: denied { execute } for
pid=20943 comm="smartd" path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1"
ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
Next, see what allowing this would look like
root# audit2allow < smartd0.log
#============= fsdaemon_t ==============
allow fsdaemon_t file_t:file { getattr execute };
Assuming this looks vaguely sane, generate a loadable module that will allow
the access
root# audit2allow -M smartd0 < smartd0.log
And then load that module, using the command it just told you (annoyingly, this
step takes on the order of 10s)
root# semodule -i smartd0.pp
What you'll typically find is that whatever you were trying to do now fails at
the next step. For example, you might have just allowed getattr access, but the
next thing the program needs to do is open the file. Repeat the process with
thing1.log. This does get a bit annoying, but I don't think I've ever taken
more than about 3 or 4 steps.
Note that not everything forbidden by SELinux needs to be allowed. Quite often
programs will happily run, despite generating a few warnings in the log.
---8<---
Hope this helps!
Toby.
