Selinux seems to “dontaudit” logs by default. This means that when selinux is permissive, your plugins will work, and when you setenforce 1 your server, plugins fail. This all happens without warnings. If you see this happening:
- Disable dontaudit: semodule -DB
- See avc entries filling up audit.log, pipe through audit2allow.
- Enable again: semodule -B