>> First, copy and paste lines from the log into a file called thing0.log where
>> thing is a mnemonic name for what you're trying to enable. In this example,
>> thing is smartd
>>
>> root# cd; mkdir selinux; cd selinux
>> root# cat > smartd0.log
>> type=AVC msg=audit(1425551687.181:491): avc: denied { getattr } for
>> pid=20943 comm="smartd" path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1"
>> ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=file
>> type=AVC msg=audit(1425551687.181:492): avc: denied { execute } for
>> pid=20943 comm="smartd" path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1"
>> ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=file
>>
>> Next, see what allowing this would look like
>>
>> root# audit2allow < smartd0.log
>> #============= fsdaemon_t ==============
>> allow fsdaemon_t file_t:file { getattr execute };
>>
>> Assuming this looks vaguely sane, generate a loadable module that will allow
>> the access
>>
>> root# audit2allow -M smartd0 < smartd0.log
>>
>> And then load that module, using the command it just told you (annoyingly,
>> this step takes on the order of 10s)
>>
>> root# semodule -i smartd0.pp
My God. It's full of stars!
This fixed the spamass-milter problem. And it seems to be the correct way to
fix the hundreds of other SELinux errors I have.
You take this box, and put it through a magic tunnel and see if it looks right.
If it does you put the box through another magic tunnel where it becomes a
robot. Then turn on the robot.
You don't need to know what the box really means nor what the magic tunnel
does. Even though it's retail (one-by-one), it does fix it permanently.
Thank you Toby.
