[rhelv6-list] selinux (not quite) disabled?

[Mark Chappell]

On 7 December 2010 00:29, Lamar Owen <lowen at pari.edu> wrote:
> We
> need a better configuration and troubleshooting interface so that the protections don't get in the way of the user, which is
> what happens now typically with SELinux, to where people say 'the fix was to put SELinux in permissive mode' which is
> patently wrong; workaround, yes, but that's not a fix.

In my experience, the fix is to move the audit logs to one side,
switch to permissive mode, then try again.  If that's fixed the issue
then contacting the Fedora/Red Hat SELinux team through bugzilla
(selinux-policy component) with the denials from the audit log
generally results in a very fast fix (it'd be even faster for those of
you in the US).  Too many people just go "oh selinux - disable" as
soon as they hit a problem, unfortunately this is also true of a
number of Fedora's testers.

The sealert/setroubleshoot daemons have made this process a lot
simpler for end users, and even suggests which booleans and contexts
may need changing.  in the early days of Fedora when SELinux first
arrived, things broke, and often.  These days it's much better.  If
people start reporting problems with the policy I doubt it would take
long before we had something that rarely ever broke, with programs
gaining new functionality (and thus needing extra allow rules) being
the general cause.


Mark