selinux / semodule question

Daniel J Walsh dwalsh at
Tue Mar 14 21:16:35 UTC 2006

Brian Millett wrote:
> I've been trying to understand selinux on my laptop. 
> I'm running rawhide.  I have SELINUX=enforcing and SELINUXTYPE=targeted.
> I've had a few audit messages when I try to use NetworkManager & a vpn 
> connection. 
> To debug it, I ran audit2why and saw that all of the denied where from 
> a missing or disabled
> TE.
> I have ran (I'm sure there are other ways)
> audit2why < /var/log/audit/audit.log | audit2allow -M local
> and then ran semodule -i local.pp
> It seem to have loaded the local.pp.
> Do I need to put the "semodule -i local.pp" in a rc.local for each 
> boot?  Or is it automagic?
> Thanks.
No once you do a semodule -i, it permanently modifies the policy on 
disk.  the pp file is no longer required, unless you want to install it 
on other machines or if you remove the policy later using semodule -r.

More information about the fedora-test-list mailing list