Setroubleshoot errors in /var/log/messages
Jorge Fábregas
jorge.fabregas at gmail.com
Sat Jan 22 15:32:58 UTC 2011
On 01/22/2011 11:02 AM, Richard Shaw wrote:
> Jan 22 08:59:45 hobbes setroubleshoot: Setroubleshoot can not analyze
> AVCs while dontaudit rules are disabled, 'semodule -B' will turn on
> dontaudit rules.
>
> What does it mean and should I do what it says?
What version of Fedora are you running? Since when did it started
happening? Does it happens when you do a particular action (open any
particular program)?
In the SELinux policy, there are dozens of these "dontaudit rules".
They basically deny access requested by some program. These denials are
so generic that the policy writer decided not to audit them so you won't
get plenty of denial messages on your logs. In the rare occasion that
you suspect SELinux is causing problems (and you're not getting any
message on the logs) then you would "disable" these dontaudit-rules in
order to get FULL detail of every denial. You disable these "dontaudit
rules" by doing "semodule -DB". If you haven't done this yourself,
I'm really not sure why you are getting these messages.
Try running "semodule -B" and see if that solves it.
HTH,
Jorge
More information about the users
mailing list