[Discuss] SELinux & IPTables
Chuck Anderson
cra at WPI.EDU
Thu Apr 3 10:13:09 EDT 2014
Turn on auditd so the SELinux AVC messages go to
/var/log/audit/audit.log. Then to see what the SELinux messages mean,
run:
audit2why < /var/log/audit/audit.log
To create a local policy to allow whatever is being denied:
audit2allow < /var/log/audit/audit.log
(There is another step to turn that into an actual module which you
can then use semodule -i to insert, but you should review what is in
there before deciding to blindly allow everything.)
On Thu, Apr 03, 2014 at 07:12:53AM -0400, Jerry Feldman wrote:
> I used to set it to permissive also, but I didn't like many of the messages.
>
> On 04/02/2014 11:37 PM, John Malloy wrote:
> >
> > That's a good idea!
> >
> >
> >
> > On Wed, Apr 2, 2014 at 11:21 PM, Peter (peabo) Olson <peabo at peabo.com
> > <mailto:peabo at peabo.com>> wrote:
> >
> > On April 2, 2014 at 2:28 PM Jerry Feldman <gaf at blu.org
> > <mailto:gaf at blu.org>> wrote:
> > > One issue is that sometimes, companies make this a requirement,
> > and the
> > > IT people who do the real work just have to follow the rules.
> > > Whenever I set up a new system I always to to /etc/selinux and
> > change
> > > config to SELINUX=disabled
> > > I recently change SELINUXTYPE to disabled, and screwed up
> > everything to
> > > where I could not even log in. That is what rescue systems are for.
> >
> > I usually change it to 'permissive', which keeps things running
> > while you get a
> > chance to review the logs to see what SELinux would like to do to you.
More information about the Discuss
mailing list