On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote: > On 12/8/10 4:22 AM, David Sommerseth wrote: >> On 30/11/10 03:52, cpolish at surewest.net wrote: >>> Christopher Chan wrote: >>>> Les Mikesell wrote: >> [...snip...] >>>> As was already mentioned in another post, run in permissive mode, for a >>>> few days if you must, and go through all the things the software does >>>> and voila! setroubleshoot and/or logs tell you what needs doing. >>> >>> Very optimistic, that. In my shop, some things run annually. >>> A comprehensive system test = production, for a year. Just >>> this morning a 1099 (annual tax-form) script failed in test. >> >> So you would rather disable SELinux completely - 365 days a year, rather >> than to switch to permissive mode when running this script once a year? >> >> I'm sorry, but I'm not able follow that logic. > > In our case if something fails once a year we lose customers and money. I'd > expect that to be fairly common. > Again, that particular process is unlikely to be missed and also show to be easily mitigated by doing a realtime switch from enforcing to permissive. Such annual processes are fairly common and usually run manually. You have yet to make a compelling case for completely disabling SELinux just for this sort of thing.