With the policy updates that came with centos 7.1 update, I am trying to update a few local policies we have but with `setenforce 0` I do not get an avc at all when running my app, however enabling it and rerunning it generates one, but without seeing them all that approach would be like wack-a-mole. The avc I am getting after setenforce 1 is run is: type=AVC msg=audit(1428109185.330:570): avc: denied { execute_no_trans } for pid=3953 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25468477 scontext=system_u:system_r:bacula_t:s0 tcontext=sytype=SYSCAL Why does this not trigger a denial in permissive mode? Thanks, jlc