Can't use new users?

Stephen Smalley sds at
Fri Sep 2 18:29:38 UTC 2005

On Fri, 2005-09-02 at 11:18 -0700, Ben wrote:
> Huh, setenforce 0 seems to have no effect. I see this when I run it:
> Sep  2 11:15:45 dumont kernel: audit(1125684945.038:24): avc:  granted  
> { setenforce } for  pid=6453 comm="setenforce" 
> scontext=root:system_r:unconfined_t 
> tcontext=system_u:object_r:security_t tclass=security
> .... but everthing remains broken the same way.

That message just shows you that permission was granted to switch
enforcing mode, so /usr/sbin/getenforce should now show that you are now
in Permissive mode, i.e. SELinux will only log permissions that would be
denied by policy but not actually enforce the denial.  If it is still
broken, then the SELinux kernel permission checks are unlikely to be the

Not sure it will work on FC3, but try enabling syscall auditing:
	/sbin/auditctl -e 1
And then try again.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list