Simon Billis wrote: > Alexander Farber sent a missive on 2010-09-29: >> On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis <simon at houxou.com> wrote: <snip> > You can use "setenforce 0" without the quotes to disable selinux from the > command line till next reboot or until you issue "setenforce 1" - this is > useful for testing as is looking at /var/log/audit/audit.log and also > using commands such as audit2why and audit2allow (I strongly recommend reading > at least the man pages and also such websites as > http://www.nsa.gov/research/selinux/docs.shtml (google selinux)) > Yeah, and the sealert messages in /var/log/messages *sometimes* help, and other times are garbage. (Yes, I filed a bug with the sealert team: for some things, it 100% repeatably keeps telling me that I should set httpd_unified to on... when it's been on for months. Obviously, they missed a condition, and fall through to an incorrect default.) >> >> I didn't know that there were additional attributes for the files. >> And I don't know how to stop/start SELinux (it is not a service in >> /etc/init.d, right?) but I'd like to keep SELinux running, since all >> other programs I've listed seem to cope okay with it. > > I recommend that you keep selinux running and enforcing and that you spend > some time learning it. It is very useful. The config files are located > here: > /etc/selinux and you can set selinux to be disabled or if you want > permissive i.e. it will not stop you or others doing things but will > report > on the violations. *bleah* to selinux. mark