I have been using 'selinux=1 enforcing=0' with the thought that my system will work, but if things are not right, an avc message will appear in my log files. The /etc/selinux/config file had the contents [root@hoho2 user1]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing SELINUXTYPE=strict POLICYTYPE=strict [root@hoho2 user1]# I was dutifully going to 'init 1' and doing 'fixfiles relabel' after every update of policy or selinux related software - and then rebooting. [I still got lots of avc messages] Then I changed the /etc/selinux/config to the version shown below and rebooted. I got far less messages, and I was even able to go to root when clicking on gnome applications that required higher priority (with above config contents, whatever I typed was not enough, gnome kept coming back for more) [root@hoho2 user1]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing #SELINUXTYPE=strict SELINUXTYPE=permissive POLICYTYPE=strict [root@hoho2 user1]# My assumption has been that the boot parameters override the contents of the /etc/selinux/config file, and that the boot param 'enforcing=0' will make the selinux a permissive one. Have these assumptions changed?
