Hi, I'm moving some old stuff from EL6 to EL8 and one setup has a cron job which uses "tmpwatch -umc $dir" to clean some directories (/etc/cron.daily/tmpwatch). It seems that this triggers this AVC (SElinux mode is enforcing):
type=AVC msg=audit(1598576896.772:4267): avc: denied { dac_override } for pid=11013 comm="tmpwatch" capability=1 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tclass=capability permissive=0
The tmpwatch exec line had "--force" before and I was hopping that this "capability" was the cause and deleted it but this night the AVC are still appearing.
Is cron running in EL8 with stripped CAPs of? Does some one have an idea to address this?
-- Thanks, Leon
On Aug 28, 2020, at 17:53, Leon Fauster via CentOS centos@centos.org wrote:
Is cron running in EL8 with stripped CAPs of? Does some one have an idea to address this?
In general, we no longer use tmpwatch at all. In CentOS 7 and 8, use systemd-tmpfiles. Here is a blog post that describes it pretty well:
https://developers.redhat.com/blog/2016/09/20/managing-temporary-files-with-...
-- Jonathan Billings billings@negate.org
Am 29.08.20 um 01:56 schrieb Jonathan Billings:
On Aug 28, 2020, at 17:53, Leon Fauster via CentOS centos@centos.org wrote:
Is cron running in EL8 with stripped CAPs of? Does some one have an idea to address this?
In general, we no longer use tmpwatch at all. In CentOS 7 and 8, use systemd-tmpfiles. Here is a blog post that describes it pretty well:
https://developers.redhat.com/blog/2016/09/20/managing-temporary-files-with-...
Thanks, it seems that this migration will take more time :-).
Okay, systemd-tmpfiles is a reasonable solution for one scenario here but some questions still persists for a second one:
As you see - the next clean up will be in 23h
# systemctl status systemd-tmpfiles-clean.timer
● systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories Loaded: loaded (/usr/lib/systemd/system/systemd-tmpfiles-clean.timer; static; vendor preset: disabled) Active: active (waiting) since Sat 2020-08-29 21:53:11 CEST; 53min ago Trigger: Sun 2020-08-30 22:07:52 CEST; 23h left Docs: man:tmpfiles.d(5) man:systemd-tmpfiles(8)
# systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES Sun 2020-08-30 22:07:52 CEST 23h left Sat 2020-08-29 22:07:52 CEST 39min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
What triggers cleanups that must be done every hour for example?
# cat /usr/lib/tmpfiles.d/app-tmp.conf e /srv/app/*/tmp - - - 1h
# man tmpfiles.d
is mentioning (m)minutes, (s)econds and even us (microseconds).
Do I need to override the systemd-tmpfiles-clean.timer unit?
# systemctl cat systemd-tmpfiles-clean.timer ... [Timer] OnBootSec=15min OnUnitActiveSec=1d
It seems that this is more prepared for daily clean ups?
-- Leon
-
Jonathan Billings -
Leon Fauster