On Monday 29 November 2010 00:55:47 Nico Kadel-Garcia wrote:
On Sun, Nov 28, 2010 at 10:39 AM, Bob McConnell rmcconne@lightlink.com
wrote:
fault of SELinux, and advocating that SELinux is bad because some manager doesn't know about security is completely wrong IMHO. And supporting advice given to people on this list to turn off SELinux because some devs in some company don't do their job right is also completely wrong.
No, I quesiton its utility because the engineering effort is burdensome, it wastes testing cycles best spent elsewhere, and the error messages are.... less than helpful.
Just a small suggestion regarding the error messages --- take a look at setroubleshoot, it was designed to help out with making AVC denials more human-friendly. And it typically works quite well.
When triggered by a denial, setroubleshoot alerts the user, explains what went wrong, why it went wrong and what options you have for fixing it. All that in nice plain english :-). Typically it also tells you the exact set of commands you need to execute if you wish to modify the policy to allow that particular access. If you are aware of the risks and know what you are doing, a couple of copy&paste commands in the root prompt removes the SELinux restrictions for good. It also works in permissive mode, if you wish to tweak your local policy without impacting a runtime environment.
Of course, it is not always a good idea to modify the policy (it would be better to remove the problem at app/config level), but sometimes one doesn't have a choice, as in your case. :-)
HTH, :-) Marko