Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux. My first draft is this, by the way, and it's "working", so managers are off my back. ai.te: policy_module(ai,0.0.1) type ai_initrc_exec_t; init_script_type(ai_initrc_exec_t); type ai_exec_t; userdom_executable_file(ai_exec_t); unconfined_alias_domain(ai_t); init_daemon_domain(ai_t,ai_exec_t) type ai_log_t; logging_log_file(ai_log_t) manage_dirs_pattern(ai_t,ai_log_t,ai_log_t) manage_files_pattern(ai_t,ai_log_t,ai_log_t) ai.fc: /etc/rc\.d/init\.d/ai -- gen_context(system_u:object_r:ai_initrc_exec_t,s0) /usr/r/bin/aiadmin -- gen_context(system_u:object_r:ai_initrc_exec_t,s0) /usr/r/bin/aiclient -- gen_context(system_u:object_r:ai_exec_t,s0) /usr/r/bin/aiagent -- gen_context(system_u:object_r:ai_exec_t,s0) /usr/r/logs(/.*)? gen_context(system_u:object_r:ai_log_t,s0) I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only. The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all. Sincerely yours, Vadym Chepkov -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list