LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Quotes of the week

Quotes of the week

Posted Apr 20, 2006 15:52 UTC (Thu) by shahms (subscriber, #8877)
In reply to: Quotes of the week by loening
Parent article: Quotes of the week

/var/log/audit/audit.log would be a good place to start looking. If the action was denied by SELinux there will almost always be an entry in there. I do agree that the existing documentation is sorely lacking, but the "Disable SELinux" is entirely the wrong approach for a multitude of reasons. It may be appropriate for debugging problems, but is not the right way to do it. If disabling SELinux "fixes" the problem, that just tells you where to start looking. It's like any new subsystem, as a system administrator you have to learn how to start debugging it. Here's a hint: 9 times out of 10, these problems can be solved by changing booleans or fixing file labels, neither of which is any more complex than changing existing configuration settings or making sure files are readable by Apache. Smalley is correct, SELinux itself is not terribly complex, the security models it uses are relatively straightforward, the complexity comes from the comprehensive nature of the policy and the very, very fine-grained permissions it exposes.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds