[CentOS] What to do when a selinux policy doesn't work?

Wed Apr 14 07:00:13 UTC 2021
hw <hw at gc-24.de>

On 2/27/21 3:40 AM, Jonathan Billings wrote:
> On Feb 26, 2021, at 17:16, hw <hw at gc-24.de> wrote:
>> Ejabberd is supposed to expire files when they are older than desired, and selinux prevents it.  How can I solve this problem other than by disabling selinux or by deleting the files manually?
> It’s possible that you are only capturing part of the process, such as a stat() before unlink(), so it still fails.  You need to capture the entire process.
> Temporarily set it to permissive (setenforce Permissive) and let it do what it does (is there a way to force it?). Then you should use ausearch to find the AVCs over the time period when it ran, and pipe that into audit2allow.

Hm, yes, thanks, I tried that ... Now I used ausearch -p to search by 
pid, and I might have found it.  A selinux module was created with the 
output which would allow ejabberd to unlink files and directories of the 
appropriate type, and I installed that.

I thought ejabberd deletes the files when restarting, but apparently it 
doesn't, so I'll have to watch for it in the log file.

> There’s probably a better solution than blindly creating a module.  You need to figure out what the correct SELinux attribute to put on the directory so you don’t need a module.

Yes, I did that.  Perhaps the selinux permissions ejabberd is being 
installed with are incomplete.