On Tue, May 25, 2010 at 09:09:33PM -0500, Jay Leafey wrote: > In your case, there should have been AVC errors showing up in the > audit log related to smbd. Using restorecon to fix up the security > context on the files in /etc/samba might have resolved the issue > quickly... but I guess the trick is having run across it before, eh? Thoughtful advice. Thanks. Is there some method to duplicate basic configuration files across selinux servers without running restorecon for each set of files that's copied over - that is, to copy them with their selinux labels intact? >From this limited example, it looks like selinux gets in the way of standard administrative tasks, yet wouldn't be in the way at all of anyone who'd acquired a shell within which they could run another shell and with that call whatever program they like. I was just reading a review by Freeman Dyson of physicist Steven Weinberg's new book, Lake Views. Dyson is impressed by Weinberg's argument that for defense we often go to "glorified technologies" which don't really do for us what we expect. For example, mounted knights, which were the expensive high tech approach to war of their time, more often than not lost to peasants with pikes. The list goes on from there, right up to the present. In it's modest way, selinux would fit right into that record. It's complex and shiney and expensive to maintain (hell, it's competitor is even called "AppArmour" - armour?). But is it as essentially useless in real combat as mounted knights were against a line of men with spears? Or as today's wishful and extravagant missile defense? Best, Whit