Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] SELinux & IPTables



Turn on auditd so the SELinux AVC messages go to
/var/log/audit/audit.log.  Then to see what the SELinux messages mean,
run:

audit2why < /var/log/audit/audit.log

To create a local policy to allow whatever is being denied:

audit2allow < /var/log/audit/audit.log

(There is another step to turn that into an actual module which you
can then use semodule -i to insert, but you should review what is in
there before deciding to blindly allow everything.)

On Thu, Apr 03, 2014 at 07:12:53AM -0400, Jerry Feldman wrote:
> I used to set it to permissive also, but I didn't like many of the messages.
> 
> On 04/02/2014 11:37 PM, John Malloy wrote:
> >
> > That's a good  idea!
> >
> >
> >
> > On Wed, Apr 2, 2014 at 11:21 PM, Peter (peabo) Olson <peabo at peabo.com
> > <mailto:peabo at peabo.com>> wrote:
> >
> >     On April 2, 2014 at 2:28 PM Jerry Feldman <gaf at blu.org
> >     <mailto:gaf at blu.org>> wrote:
> >     > One issue is that sometimes, companies make this a requirement,
> >     and the
> >     > IT people who do the real work just have to follow the rules.
> >     > Whenever I set up a new system I always to to /etc/selinux and
> >     change
> >     > config to SELINUX=disabled
> >     > I recently change SELINUXTYPE to disabled, and screwed up
> >     everything to
> >     > where I could not even log in. That is what rescue systems are for.
> >
> >     I usually change it to 'permissive', which keeps things running
> >     while you get a
> >     chance to review the logs to see what SELinux would like to do to you.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org