Hi, I'm moving some old stuff from EL6 to EL8 and one setup has a
cron job which uses "tmpwatch -umc $dir" to clean some directories
(/etc/cron.daily/tmpwatch). It seems that this triggers this AVC
(SElinux mode is enforcing):
type=AVC msg=audit(1598576896.772:4267): avc: denied { dac_override }
for pid=11013 comm="tmpwatch" capability=1
scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tclass=capability
permissive=0
The tmpwatch exec line had "--force" before and I was hopping that this
"capability" was the cause and deleted it but this night the AVC are
still appearing.
Is cron running in EL8 with stripped CAPs of? Does some one have an
idea to address this?
--
Thanks,
Leon