I am trying to update some local policies for bacula that allow a series of clients with pre run scripts to su in order to perform some preparatory work for a backup. With selinux enforcing, the su is denied obviously execute as bacula_t tries su_exec_t. You only see this with enforcing enabled? So creating an initial policy for that (this is not the way to do this) allows one more avc to appear for execute_no_ as bacula_t tries su_exec_t again. The problem is once these are enabled with local policies they seem to be ignored producing the same avc's. Why are the initial avc's not generated in permissive allowing a complete policy to be derived? If they can't appear in permissive mode, even after playing wackamole with avc's one by one, there is no resolution as they continue to get denied. Anyone else seeing similar or know what I am missing? Bacula-fd runs as root/root. Thanks, jlc