[Discuss] SELinux & IPTables

[cra at WPI.EDU (Chuck Anderson)]

Turn on auditd so the SELinux AVC messages go to
/var/log/audit/audit.log.  Then to see what the SELinux messages mean,
run:

audit2why < /var/log/audit/audit.log

To create a local policy to allow whatever is being denied:

audit2allow < /var/log/audit/audit.log

(There is another step to turn that into an actual module which you
can then use semodule -i to insert, but you should review what is in
there before deciding to blindly allow everything.)

On Thu, Apr 03, 2014 at 07:12:53AM -0400, Jerry Feldman wrote:
> I used to set it to permissive also, but I didn't like many of the messages.
> 
> On 04/02/2014 11:37 PM, John Malloy wrote:
> >
> > That's a good  idea!
> >
> >
> >
> > On Wed, Apr 2, 2014 at 11:21 PM, Peter (peabo) Olson <peabo at peabo.com
> > <mailto:peabo at peabo.com>> wrote:
> >
> >     On April 2, 2014 at 2:28 PM Jerry Feldman <gaf at blu.org
> >     <mailto:gaf at blu.org>> wrote:
> >     > One issue is that sometimes, companies make this a requirement,
> >     and the
> >     > IT people who do the real work just have to follow the rules.
> >     > Whenever I set up a new system I always to to /etc/selinux and
> >     change
> >     > config to SELINUX=disabled
> >     > I recently change SELINUXTYPE to disabled, and screwed up
> >     everything to
> >     > where I could not even log in. That is what rescue systems are for.
> >
> >     I usually change it to 'permissive', which keeps things running
> >     while you get a
> >     chance to review the logs to see what SELinux would like to do to you.