<p><br>
On Jul 3, 2011 5:38 PM, "Paul Allen Newell" <<a href="mailto:pnewell@cs.cmu.edu">pnewell@cs.cmu.edu</a>> wrote:<br>
><br>
> On 7/3/2011 12:53 AM, Cameron Simpson wrote:<br>
> > On 02Jul2011 22:26, Paul Allen Newell<<a href="mailto:pnewell@cs.cmu.edu">pnewell@cs.cmu.edu</a>> wrote:<br>
> > | On 7/2/2011 10:06 PM, Joe Zeff wrote:<br>
> > |> On 07/02/2011 09:45 PM, Cameron Simpson wrote:<br>
> > |>> That should be the case. (Of course, SELinux can break anything - if you<br>
> ><br>
> ><br>
> > You can put it into non-enforcing mode on the fly with the command:<br>
> ><br>
> > setenforce 0<br>
> ><br>
> > Run "setenforce 1" to turn it back on.<br>
> ><br>
><br>
> That seemed to do it ... wrapping the clamscan in setenforce=0 /<br>
> setenforce=1 produced scans of all files and no errors. Many thanks for<br>
> the advice on how to do.<br>
><br>
> Of course, your comment in other email about "if you can establish that<br>
> disabling selinux makes it work", I sure got alot of barking from<br>
> selinux and guess I need to learn all about rules for it.<br>
><br>
> Total of 355 errors regarding "read", "getattr", "search", "open", and<br>
> "write". It appears that it is related to files/binaries/whatever in<br>
> /bin, /sbin, and ~root (maybe /tmp?). I need to do some further<br>
> debugging to confirm this (and to reduce the testing to something<br>
> manageable)<br>
><br>
> The suggestions the pop-up gives me are for "allow this access for now"<br>
> as opposed to something more permanent.<br>
><br>
> Before I go starting to learn about selinux rules, I wanted to check<br>
> whether my sense that "if I do a setenforce=0 then I would expect<br>
> selinux to be disabled until setenforce=1; hence, why does it need rules<br>
> when disabled" is a proper way to look at it.<br>
><br>
> And, yes, my security stance is such that I don't mind a temporary<br>
> disable while clamscan is running, I would rather not permanently<br>
> disable selinux.<br>
><br>
> Thanks in advance,<br>
> Paul<br></p>
<p>it really is bad form to run a script out of root's home directory. Perhaps put it in /usr/sbin , restorecon, and leave selinux enforcing the whole time. </p>
<p>-paul</p>