It's a little more complex than just changing a variable, unfortunately. The quick way to do this is:
1- setenforce 0
This will temporary set SELinux to permissive mode. It will still log audits, but not enforce the restrictions.
2- Exercise the application. Use as many features as you reasonably can for the functions you want permitted.
3- setenforce 1
This re-enables enforcing mode.
4- You need to create a directory for a local policy, and create some files. For example:
mkdir /etc/local-selinux-policy
cd /etc/local-selinux-policy
touch local.fc local.if local.pp local.te
5- Add the allow statements to the local policy:
audit2allow -l -a >> local.te
6- Edit the local.te file, and add a header and 'require' definition for each type (the "_t" entries). When you are done, it should look like this example:
Code:
policy_module(local, 1.0)
require {
type automount_t;
type bluetooth_helper_t;
unlabeled_t;
type xdm_t;
}
allow automount_t unlabeled_t:dir getattr;
allow bluetooth_helper_t xdm_t:fd use;
7- You can now add the local policy with:
/usr/sbin/setenforce 0
cd /etc/local-selinux-policy/
/usr/bin/make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i local.pp
/usr/sbin/setenforce 1
The application should now work, and SELinux is enabled.
There are more details
here.