ausearch -m avc to find denials. If there are none, that's probably because some distro maintainer decided that the denial should be silent:
semodule -DB turns on
semodule -B turns them back off.
When trying to get things to work correctly with
audit2allow, skip the 15 minutes of doing things over and over triggering different denials and running
audit2allow -M mymodule < fails; semodule -i mymodule.pp by just doing a quick
setenforce 0 before doing it once. All of the actions (AVCs?) in creating a file will show up in the log in one shot. Obviously turn on enforcing mode afterwards.
When in doubt, consult the colouring book. Yes, that's real.Tags: linux, selinux