On Thu, Apr 23, 2015 at 5:14 PM, Spector, Aaron
<Aaron_Spector@xxxxxxxxxx> wrote:
> Hi all,
>
> I’ve been working on writing my first policy for SELinux and I’ve hit a bit
> of a snag. I’ve gotten the policy clean in permissive mode, but when I swap
> the system over to enforcing, a whole new set of policy issues crop up.
> Everything I’ve read says this isn’t to be expected so I’m a bit confused as
> to what’s happening.
{snip}
> So far what I’ve had to do to get around it is to add to my policy, but that
> doesn’t seem like that should be necessary. If the audit is clean in
> permissive mode, why isn’t it clean in enforcing?
>
> Is it possible that I’m missing policy deny audits when it’s in permissive
> mode?
It's important to remember that when you are in permissive mode you
will only see a given SELinux AVC denial *once*, after that it will
not be reported until the AVC is reset. My two favorite ways of
resetting the SELinux AVC are to run either 'load_policy' or toggle
the system from permissive into enforcing and then back into
permissive mode. Try that and I suspect that will solve your problem.
-Paul
--
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
