On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
On 12/8/10 4:22 AM, David Sommerseth wrote:
On 30/11/10 03:52, cpolish@surewest.net wrote:
Christopher Chan wrote:
Les Mikesell wrote:
[...snip...]
As was already mentioned in another post, run in permissive mode, for a few days if you must, and go through all the things the software does and voila! setroubleshoot and/or logs tell you what needs doing.
Very optimistic, that. In my shop, some things run annually. A comprehensive system test = production, for a year. Just this morning a 1099 (annual tax-form) script failed in test.
So you would rather disable SELinux completely - 365 days a year, rather than to switch to permissive mode when running this script once a year?
I'm sorry, but I'm not able follow that logic.
In our case if something fails once a year we lose customers and money. I'd expect that to be fairly common.
Again, that particular process is unlikely to be missed and also show to be easily mitigated by doing a realtime switch from enforcing to permissive. Such annual processes are fairly common and usually run manually. You have yet to make a compelling case for completely disabling SELinux just for this sort of thing.