Perhaps you could install (when still in permissive mode) a custom module containing the rules generated by audit2allow. cat /var/log/audit/audit.log | audit2allow -m local > local.te eventually edit local.te to suit your needs and then do: checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i local.pp In your particular case, I see that you cannot do "ls" from su because of some of the user_su_t denials and you cannot get a new login because of the getty_t and sysadm_t denials and perhaps others. Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
