On Mon, 2007-06-25 at 09:16 -0400, Jim Perrin wrote: > Rebuilding the code won't solve the problem. You'll have to modify the > selinux rules so that these actions are allowed. For Centos5 and rhel5 > this is pretty easy. > > 1. Enable selinux in permissive mode, and capture the selinux error > messages. They'll likely be in /var/log/audit/audit.log or > /var/log/messages > 2. Run audit2allow -i selinux.log -M localpolicy > 3. Next you load the module you just created with 'semodule -i localpolicy.pp' > > Lather, rinse, repeat. Actually, I don't think this is a very good idea (I know it is suggested in upstream documentation). For instance, suppose that clamav is tagged as, say 'bin_t', and executing clamav was rejected. The above will usually add a allow rule for executing bin_t binaries for the context of the caller. This obviously punches a big hole in a policy if it does not allow such thing. Make your own policy modules for local policy (you could create a start with command (2)), but add and check rules and contexts manually. audit2allow is a nice tool to see what was denied, but its output should not be copied verbatim. -- Daniel