On Fri, 21 Sep 2007 06:47:12 +0100, Andy Green wrote: > Just to be clear, that is what "permissive" does... it lets you know > what selinux wouldn't've let through, but lets it through anyway. So > these error messages represent a passive opinion from selinux about what > it didn't like (but did nothing to prevent). So selinux is only to > blame for filling your logs, not any other badness while in permissive. In other words, what it tells me in these messages is false?? And the distractions it creates to draw attention to itself could be proxied out, if I knew how?? The messages in the display when I click on that big yellow star are all of the form "SELinux *has* blocked ..." or "... *has* denied ... " or the like -- indicative mood. > IMO it is better to make selinux happy, if possible without causing a > heart attack, than to disable it. Such has indeed been my practice heretofore -- and I'm getting heartily sick of it. > Why not start with > > # touch /.autorelabel > > and a reboot. This will make sure your files have the right selinux > label, the cause of many problems. Like Gene, I have done that, over and over; I haven't counted, but it must be at *least* half a dozen times per machine. It is usually anything but convenient to shut all the apps on all the workspaces down, just because some nanny I don't need has yet another hissy fit. And when I do do it, it takes forever and a month to reboot. It may well be that NSA and those of you with big production sites to administer do need all this. You certainly (and I hope to God NSA, too, despite being a gummint bureaucracy) understand it far better. To start with, surely, you can tell by looking what is serious and what isn't -- i.e., what you can safely ignore till you get around to it, if ever. My half dozen little machines, all behind at least one router, physically inaccessible to anyone but my wife and me, running every *other* defense I can find and manage, and with nothing in the way of wealth, power, or prominence to attract evildoers, ought to be a somewhat different kettle of fish. No doubt the crackers out there have bots sniffing at every machine they can find in existence. But, unless I've completely misunderstood everything I've read on news.grc.com over the years, if such a bot suggests my little operation to its obnoxious owner, s/he will realize at first glance that nothing here is worth the trouble it would take to conquer, with or without SELinux even installed. Suggestion : persuade the SELinux developers, if you can, to go take lessons from the ZoneAlarm people, paying heavily enough to get eager co-operation. ZA is by no means perfect -- it too can be obscure -- but on any scale of user-friendliness, it's orders of magnitude (plural!) ahead of the SELinux messages. -- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.