On 2/26/20 9:52 AM, Nicolas Kovacs wrote: > Le 26/02/2020 à 11:51, Nicolas Kovacs a écrit : >> SELinux is preventing /usr/bin/python2.7 from read access on the file >> disable. >> >> ***** Plugin catchall (100. confidence) suggests ***** >> >> If you believe that python2.7 should be allowed read access on the >> disable file by default. >> Then you should report this as a bug. >> You can generate a local policy module to allow this access. >> Do >> allow this access for now by executing: >> # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver >> # semodule -i my-f2bserver.pp >> >> Weirdly enough, when I follow this suggestion and then empty audit.log >> and restart my server, I still get the exact same error again. > > I reinstalled this server from scratch and took some notes. This time I > was successful, though I don't know exactly what I did differently this > time. > > Usually I work as non-root user and call sudo whenever I need root > permissions. > > But is this OK when enabling SELinux modules? Let's consider the example > given above: > > # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver > # semodule -i my-f2bserver.pp > > Can I also perform it like this? > > $ sudo ausearch -c 'f2b/server' --raw | sudo audit2allow -M my-f2bserver > $ sudo semodule -i my-f2bserver.pp This should work. Likely the reason that it didn't resolve in one go is that there were multiple denials - but the first time it just failed on the first one. Someone else mentioned running in non-enforcing mode to allow the audit log to collect all of the denials and then generating the module - this is a good practice. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/