This chapter discusses troubleshooting and customizing your SELinux policy and
presents a methodology for writing policy. Specific cautions are discussed.
When troubleshooting, use the kernel boot parameter
selinux=0 as a last resort. If using
setenforce during runtime is not sufficient, try
booting with enforcing=0 to switch to permissive
mode. You still have SELinux checking enabled and avc:
denied messages logged to $AUDIT_LOG, but the enforcing
By troubleshooting with SELinux enabled, you can more easily identify and
resolve problems. For example, if SELinux is fully disabled, the
-Z option is not available for finding the security
context of objects. You are not able to relabel a file or the file
system with SELinux disabled. Finally, any new files or directories you
create have no SELinux security attributes, causing more problems when you
boot into SELinux.
Save selinux=0 and
/etc/sysconfig/selinux/ for longer-term disabling.