>> First, copy and paste lines from the log into a file called thing0.log where >> thing is a mnemonic name for what you're trying to enable. In this example, >> thing is smartd >> >> root# cd; mkdir selinux; cd selinux >> root# cat > smartd0.log >> type=AVC msg=audit(1425551687.181:491): avc: denied { getattr } for >> pid=20943 comm="smartd" path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1" >> ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:file_t:s0 tclass=file >> type=AVC msg=audit(1425551687.181:492): avc: denied { execute } for >> pid=20943 comm="smartd" path="/usr/lib64/libstdc++.so.6.0.19" dev="dm-1" >> ino=134323340 scontext=system_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:file_t:s0 tclass=file >> >> Next, see what allowing this would look like >> >> root# audit2allow < smartd0.log >> #============= fsdaemon_t ============== >> allow fsdaemon_t file_t:file { getattr execute }; >> >> Assuming this looks vaguely sane, generate a loadable module that will allow >> the access >> >> root# audit2allow -M smartd0 < smartd0.log >> >> And then load that module, using the command it just told you (annoyingly, >> this step takes on the order of 10s) >> >> root# semodule -i smartd0.pp
My God. It's full of stars! This fixed the spamass-milter problem. And it seems to be the correct way to fix the hundreds of other SELinux errors I have. You take this box, and put it through a magic tunnel and see if it looks right. If it does you put the box through another magic tunnel where it becomes a robot. Then turn on the robot. You don't need to know what the box really means nor what the magic tunnel does. Even though it's retail (one-by-one), it does fix it permanently. Thank you Toby.