On Fri, 2005-09-02 at 11:18 -0700, Ben wrote:
> Huh, setenforce 0 seems to have no effect. I see this when I run it:
>
> Sep 2 11:15:45 dumont kernel: audit(1125684945.038:24): avc: granted
> { setenforce } for pid=6453 comm="setenforce"
> scontext=root:system_r:unconfined_t
> tcontext=system_u:object_r:security_t tclass=security
>
> .... but everthing remains broken the same way.
That message just shows you that permission was granted to switch
enforcing mode, so /usr/sbin/getenforce should now show that you are now
in Permissive mode, i.e. SELinux will only log permissions that would be
denied by policy but not actually enforce the denial. If it is still
broken, then the SELinux kernel permission checks are unlikely to be the
cause.
Not sure it will work on FC3, but try enabling syscall auditing:
/sbin/auditctl -e 1
And then try again.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
