Skip to content

Get permission denied with SElinux enabled, but no AVC denials

Have a program that works with setenforce 0 but gives some type of permission denied error with setenforce 1 and you see no avc denials?

In that case try doing ''sudo semodule -D -B''.

This will rebuild the selinux policy modules and ignore "don't audit". Which in practicality means Redhat ignores certain read/write avc denials assuming they're caused by leaking file descriptors.

Now do ausearch again and check for fresh denials.

$ sudo ausearch -m avc -ts today

To revert re-build policy or you might get a lot more AVC denials than you want.

$ sudo semodule -B

Last update: October 2, 2021