Hi, I'm moving some old stuff from EL6 to EL8 and one setup has a cron job which uses "tmpwatch -umc $dir" to clean some directories (/etc/cron.daily/tmpwatch). It seems that this triggers this AVC (SElinux mode is enforcing): type=AVC msg=audit(1598576896.772:4267): avc: denied { dac_override } for pid=11013 comm="tmpwatch" capability=1 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tclass=capability permissive=0 The tmpwatch exec line had "--force" before and I was hopping that this "capability" was the cause and deleted it but this night the AVC are still appearing. Is cron running in EL8 with stripped CAPs of? Does some one have an idea to address this? -- Thanks, Leon