On 12/24/2013 10:27 AM, Marko Vojinovic issued this missive:
On Tue, 24 Dec 2013 09:48:38 -0800 Rick Stevens ricks@alldigital.com wrote:
I've said this before and I'll say it again...permissive mode does NOT allow ALL access (permissive != disabled, despite what others may say). If you see selinux deny messages, it's still being denied. I've seen this bite people a number of times.
Care to give a F18/19/20-working example of this?
IOW, provide a sequence of steps on a clean Fedora install that works with selinux disabled, while it fails with selinux in permissive mode?
I don't have examples at hand, but I have seen FTP-related stuff, some upgrades and some other network-related things fail when SELinux is in permissive mode and work just fine when it's disabled. I never bothered tracking specifically what they are--it's just when they poop out, I've disabled SELinux, redone it and it's worked fine. I have then put it back in permissive mode, looked at the denial messages and put in local rules to cover them and gone to "targeted" mode.
Permissive does allow most actions, but there are some things it still denies. I guess "permissive" should be taken literally, like "we're relaxing most of the rules, but there are some we are going to enforce as long as we're in charge."
As I said, I don't have examples but the OP on this thread ran into the same thing I've hit in the past. He went from permissive to disabled and it worked. I'm just saying that permissive is not the same thing as disabled. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Microsoft Windows: Proof that P.T. Barnum was right - ----------------------------------------------------------------------