> m.roth at 5-cent.us wrote: >>>> Does anyone know? Are we, with CentOS, that far behind with something >>>> like this, which isn't even a port, but a policy? >>> I dunno about CentOS but on Fedora I just look at the message in the >>> log file (/var/log/messages IIRC) and it gives me a command to execute >>> to view more details. When I do that, I get a window that comes up <snip> >> Yeah, I can use audit2allow. The trouble is that I don't know the >> ramifications of just adding that policy on an ad hoc basis - it might >> open it up for a real attack. > > Of course you should be cautious of opening up things you do not fully > understand, but you're running in permissive mode meaning that you are > already wide open from an SELinux perspective so adding a custom policy > and putting SELinux back into enforcing mode isn't going to put you any > more at risk other than maybe giving you some false sense of security. Yes, but I have some systems that *do* have it enforcing, and some that are permissive are also production (as in, websites visible to the world), and I want to test my changes before I put them on the enforcing servers.... mark