Simon Billis wrote:
Alexander Farber sent a missive on 2010-09-29:
On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis simon@houxou.com wrote:
<snip>
You can use "setenforce 0" without the quotes to disable selinux from the command line till next reboot or until you issue "setenforce 1" - this is useful for testing as is looking at /var/log/audit/audit.log and also using commands such as audit2why and audit2allow (I strongly recommend
reading
at least the man pages and also such websites as http://www.nsa.gov/research/selinux/docs.shtml (google selinux))
Yeah, and the sealert messages in /var/log/messages *sometimes* help, and other times are garbage. (Yes, I filed a bug with the sealert team: for some things, it 100% repeatably keeps telling me that I should set httpd_unified to on... when it's been on for months. Obviously, they missed a condition, and fall through to an incorrect default.)
I didn't know that there were additional attributes for the files. And I don't know how to stop/start SELinux (it is not a service in /etc/init.d, right?) but I'd like to keep SELinux running, since all other programs I've listed seem to cope okay with it.
I recommend that you keep selinux running and enforcing and that you spend some time learning it. It is very useful. The config files are located here: /etc/selinux and you can set selinux to be disabled or if you want permissive i.e. it will not stop you or others doing things but will report on the violations.
*bleah* to selinux.
mark