This chapter discusses troubleshooting and customizing your
SELinux policy and presents a methodology for writing policy.
Specific cautions are discussed.
When troubleshooting, use the kernel boot parameter selinux=0 as a last resort. If using
setenforce during runtime is not
sufficient, try booting with enforcing=0 to switch to permissive mode.
You still have SELinux checking enabled and avc: denied messages logged to $AUDIT_LOG, but the enforcing is disabled.
By troubleshooting with SELinux enabled, you can more easily
identify and resolve problems. For example, if SELinux is fully
disabled, the -Z option is not available
for finding the security context of objects. You are not able to
relabel a file or the file system with SELinux disabled. Finally,
any new files or directories you create have no SELinux security
attributes, causing more problems when you boot into SELinux.
Save selinux=0 and
SELINUX=disabled in /etc/sysconfig/selinux/ for longer-term