On Tue, Nov 5, 2013 at 3:38 PM, <m.roth at 5-cent.us> wrote: > John R Pierce wrote: > > On 11/5/2013 2:15 PM, m.roth at 5-cent.us wrote: > >> Wes James wrote: > >>> >When does echo 0 > /selinux/inforce need to be used? I.e., where is > >>> >selinux enforcing itself on the system to protect it? When I do yum > >>> >install of some package, it seems to work (not being blocked). When > >>> would doing something not work because selinux is watching it (or > whatever > >>> that process is doing)? > >>> > > >> It changes selinux mode from enforcing to permissive, which means it > >> still complains, but lets the processes run anyway. > > > > the most common scenario for selinux problems is when you change default > > locations for something, for instance, putting a postgresql database > > cluster on a different path than /var/lib/postgresql/x.y/data, or have > > users with home directories other than /home/$USER > > > > if you do something like this and get weird errors, you can set selinux > > to permissive, and see your thing works. if so, analyze the selinux > > error logs to see what corrective action you need (typically, relabeling > > the unusual location for whatever it is). > > Or you might need to create special local policies for software in > non-standard (but standard for your work environment) locations, or for > local or third party software that was written in total ignorance or > disregard of selinux (such as from CA, or Matlab...), or, in some cases, > just leave it in permissive mode. > > mark "NOT a fan of selinux, dealt with it far too much" > > OK. Why not use some other linux that doesn't use selinux then? I guess in permissive mode, you could still monitor the logs and take action, if needed. -wes