Hi Stephen and all,
There is an 'enableaudit' target in the policy Makefile that does precisely that - see the Fedora SELinux FAQ. make enableaudit load, then make clean load later to revert.
Cool! I clearly need to re-read the FAQ, since it's apparently been updated since my last reading <g>. Good work, Karsten!
2. Is there possibly a better policy tweak that would permit Snort to restart okay? I'm not cheerful about giving Snort access to the console.
Update to the latest FC2 kernel and policy. A change was made to SELinux to re-open descriptors that it closes on exec to the null device. This avoids inducing program misbehavior when SELinux closes descriptors.
Drat! No can do: The latest kernel includes a bug that restricts my Intel e1000 network adapter to about 20 kbps. So, I've been forced to regress to the next to latest kernel.
Thanks,
