On 7/3/2011 5:15 PM, Cameron Simpson wrote: > On 03Jul2011 15:02, Paul Allen Newell<pnewell@xxxxxxxxxx> wrote: > | On 7/3/2011 2:54 PM, Paul Morgan wrote: > |>On Jul 3, 2011 5:38 PM, "Paul Allen Newell"<pnewell@xxxxxxxxxx > |><mailto:pnewell@xxxxxxxxxx>> wrote: > |> > |>it really is bad form to run a script out of root's home > |>directory. > > A little untidy, sure. But... > > [...] > > And regarding the "why does selinux log so much with setenforce 0": > selinux isn't off, it is just in "permissive" mode - report all > violations of the rules but don't prevent them. It is a debugging mode; > the intent is that you correct your rules. You can also run the system > with selinux genuinely off, though I think it may need a reboot once > selinux has been started at all. > > Cheers, Regarding where to put it, I was already thinking /usr/local/{bin,sbin}, just wanted to figure out whether bin or sbin was better (gut instinct would be bin) I have managed to figure out that there is this mode known as "permissive" and that sure cleared up alot of my "on/off" assumptions. I have been reading up about rules and audit2allow. Makes sense in theory, but when I looked at the rule that was generated with audit2allow, its 365 lines long. Plus trying multiple reboots gives me warnings about different files. When rebooting, I see 50 warnings; when I run as root, I see @270 warnings (only /home for reboot; all searched directories for running in terminal). The 365 is only for the 50 warning version ... I can't see any way to temporarily disable selinux from catching violations while I do the clamscan (though the pop-up asks me if I want alerts, it doesn't look like getting an alert prevents the violation from being caught) My first question is whether there is a way to go "allow clamscan_t * {read open search getattr}" so that clamscan will have permission to examine anything on the system (which is what I would want with a virus scan, right?). I discovered that the write warnings were for the debug writing to *.out and *.err per your suggestion, so I gratefully don't have to give clamscan write clearance. The second question is why wouldn't selinux be defaulted to allow clamav given that's what Fedora seems to be suggesting/using? That being said, there is probably a good reason that I am not savvy enough to see ... but I still want to ask the question. One good thing is I'm finally beginning to get an idea of what selinux is out of all this ... Thanks, Paul -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
