SELinux tricks - permissive domain

Sometimes, you hit a policy issue, make non-standard configuration changes or you just need a daemon to work regardless of SELinux restriction. In these cases you might want to switch a domain to be permissive:

# semanage permissive -a <domain>

This simple command creates and loads a module permissive_<domain> with one rule:

# bzcat /var/lib/selinux/targeted/active/modules/400/permissive_openvpn_t/cil 
(typepermissive openvpn_t)

From this point, SELinux is not enforced on openvpn_t while AVCs are still logged