Quotes of the week
Posted Apr 20, 2006 15:52 UTC (Thu) by shahms
In reply to: Quotes of the week
Parent article: Quotes of the week
/var/log/audit/audit.log would be a good place to start looking. If the action was denied by SELinux there will almost always be an entry in there. I do agree that the existing documentation is sorely lacking, but the "Disable SELinux" is entirely the wrong approach for a multitude of reasons. It may be appropriate for debugging problems, but is not the right way to do it. If disabling SELinux "fixes" the problem, that just tells you where to start looking. It's like any new subsystem, as a system administrator you have to learn how to start debugging it. Here's a hint: 9 times out of 10, these problems can be solved by changing booleans or fixing file labels, neither of which is any more complex than changing existing configuration settings or making sure files are readable by Apache. Smalley is correct, SELinux itself is not terribly complex, the security models it uses are relatively straightforward, the complexity comes from the comprehensive nature of the policy and the very, very fine-grained permissions it exposes.
to post comments)