SELinux newbie

[Stephen Smalley]

On Tue, 2008-01-15 at 14:34 +0100, Sietjp wrote:
> 
> Hi all,
> Sorry for this newbie post.
> I'm running fedora 8 and lamp.
> All is wroking fine except of emails. Apache is not able to send emails via
> sendmail.
> 
> I tried setenforce 0, and then all is working fine.
> 
> But as I'm not a lazy guy, I would like to keep SELInux active and understand
> what is giong wrong.
> 
> Please help :)
> I don't ask for the solution but maybe a starting point or a link, thx :)

If you install setroubleshoot (yum install setroubleshoot), it can
detect and report SELinux denials to you in a more friendly manner,
either via desktop alert or via email if it is a server.

Or you can look at the audit logs (/sbin/ausearch -i -m AVC) or system
logs (grep avc /var/log/messages) to see what denials are being
generated, and report those to this list.

audit2allow can help you work around denials, but you should post the
denials to get guidance on the proper fix.  setroubleshoot can sometimes
help as well with pointing you in the right direction.

Stephen Smalley
National Security Agency