Hi,
I'm getting log file entries about ejabberd not being able to remove files that were uploaded by client through the file upload facility of XMPP. With the help of audit2allow, I have already created and installed some selinux modules to solve such issues, and still files can't be expired.
So I used
grep '/srv/data/ejabberd' /var/log/audit/audit.log | audit2allow -w
to find out what might cause this, and the answer is:
type=AVC msg=audit(1606302910.314:2905): avc: denied { open } for pid=18687 comm="8_dirty_io_sche" path="/srv/data/ejabberd/[...]" dev="md100" ino=166 scontext=system_u:system_r:ejabberd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
I have reloaded the policies with 'semodule -R', and that didn't change anything. The files in question seem to have the correct attributes like:
ls -laZ /srv/data/ejabberd/[...] -rw-r--r--. 1 ejabberd ejabberd system_u:object_r:var_t:s0 1384362 Nov 25 12:15 /srv/data/ejabberd/[...]
Ejabberd is supposed to expire files when they are older than desired, and selinux prevents it. How can I solve this problem other than by disabling selinux or by deleting the files manually?
On Feb 26, 2021, at 17:16, hw hw@gc-24.de wrote:
Ejabberd is supposed to expire files when they are older than desired, and selinux prevents it. How can I solve this problem other than by disabling selinux or by deleting the files manually?
It’s possible that you are only capturing part of the process, such as a stat() before unlink(), so it still fails. You need to capture the entire process.
Temporarily set it to permissive (setenforce Permissive) and let it do what it does (is there a way to force it?). Then you should use ausearch to find the AVCs over the time period when it ran, and pipe that into audit2allow.
HOWEVER...
There’s probably a better solution than blindly creating a module. You need to figure out what the correct SELinux attribute to put on the directory so you don’t need a module.
— Jonathan Billings
On 2/27/21 3:40 AM, Jonathan Billings wrote:
On Feb 26, 2021, at 17:16, hw hw@gc-24.de wrote:
Ejabberd is supposed to expire files when they are older than desired, and selinux prevents it. How can I solve this problem other than by disabling selinux or by deleting the files manually?
It’s possible that you are only capturing part of the process, such as a stat() before unlink(), so it still fails. You need to capture the entire process.
Temporarily set it to permissive (setenforce Permissive) and let it do what it does (is there a way to force it?). Then you should use ausearch to find the AVCs over the time period when it ran, and pipe that into audit2allow.
Hm, yes, thanks, I tried that ... Now I used ausearch -p to search by pid, and I might have found it. A selinux module was created with the output which would allow ejabberd to unlink files and directories of the appropriate type, and I installed that.
I thought ejabberd deletes the files when restarting, but apparently it doesn't, so I'll have to watch for it in the log file.
HOWEVER...
There’s probably a better solution than blindly creating a module. You need to figure out what the correct SELinux attribute to put on the directory so you don’t need a module.
Yes, I did that. Perhaps the selinux permissions ejabberd is being installed with are incomplete.
PS: Yes, it finally works, I just saw it in the log file :)
On 4/14/21 9:00 AM, hw wrote:
On 2/27/21 3:40 AM, Jonathan Billings wrote:
On Feb 26, 2021, at 17:16, hw hw@gc-24.de wrote:
Ejabberd is supposed to expire files when they are older than desired, and selinux prevents it. How can I solve this problem other than by disabling selinux or by deleting the files manually?
It’s possible that you are only capturing part of the process, such as a stat() before unlink(), so it still fails. You need to capture the entire process.
Temporarily set it to permissive (setenforce Permissive) and let it do what it does (is there a way to force it?). Then you should use ausearch to find the AVCs over the time period when it ran, and pipe that into audit2allow.
Hm, yes, thanks, I tried that ... Now I used ausearch -p to search by pid, and I might have found it. A selinux module was created with the output which would allow ejabberd to unlink files and directories of the appropriate type, and I installed that.
I thought ejabberd deletes the files when restarting, but apparently it doesn't, so I'll have to watch for it in the log file.
HOWEVER...
There’s probably a better solution than blindly creating a module. You need to figure out what the correct SELinux attribute to put on the directory so you don’t need a module.
Yes, I did that. Perhaps the selinux permissions ejabberd is being installed with are incomplete. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
hw -
Jonathan Billings