Re: selinux preventing clamd and amavisd even in Permissive

[John Dennis <jdennis redhat com>]

> There are others, but selinux should only log the AVCs in Permissive. 
> Right? But the selinux system is actually doing denials.

Just for clarification, setroubleshoot will still report a denial in 
permissive mode because it is logged as a denial by the audit system, 
however the action should still be permitted.

There is an open bug report requesting the text in the setroubleshoot 
message to be modified when the system is in permissive mode to say 
"SELinux would have denied" instead of denied. We're going to be fixing 
that, it's not quite as trivial as it seems because all the messages 
have been translated into other languages so you can't just do a simple 
string substitution and retain correct grammar in another language, but 
we will be fixing this one way or another.

In theory if you're spam filtering is not working it shouldn't be 
because SELinux is actually denying anything because you're in 
permissive mode. I would first look elsewhere. I'm not saying it's 
impossible it's SELinux, but because you're in permissive mode it's very 
unlikely.
--
John Dennis <jdennis redhat com>