search for: execute_no_

...to su in order to perform some preparatory work for a backup. With selinux enforcing, the su is denied obviously execute as bacula_t tries su_exec_t. You only see this with enforcing enabled? So creating an initial policy for that (this is not the way to do this) allows one more avc to appear for execute_no_ as bacula_t tries su_exec_t again. The problem is once these are enabled with local policies they seem to be ignored producing the same avc's. Why are the initial avc's not generated in permissive allowing a complete policy to be derived? If they can't appear in permissive mode, even...