PS: Yes, it finally works, I just saw it in the log file :) On 4/14/21 9:00 AM, hw wrote: > On 2/27/21 3:40 AM, Jonathan Billings wrote: >> On Feb 26, 2021, at 17:16, hw <hw at gc-24.de> wrote: >>> Ejabberd is supposed to expire files when they are older than >>> desired, and selinux prevents it. How can I solve this problem other >>> than by disabling selinux or by deleting the files manually? >> >> It’s possible that you are only capturing part of the process, such as >> a stat() before unlink(), so it still fails. You need to capture the >> entire process. >> >> Temporarily set it to permissive (setenforce Permissive) and let it do >> what it does (is there a way to force it?). Then you should use >> ausearch to find the AVCs over the time period when it ran, and pipe >> that into audit2allow. > > Hm, yes, thanks, I tried that ... Now I used ausearch -p to search by > pid, and I might have found it. A selinux module was created with the > output which would allow ejabberd to unlink files and directories of the > appropriate type, and I installed that. > > I thought ejabberd deletes the files when restarting, but apparently it > doesn't, so I'll have to watch for it in the log file. > >> HOWEVER... >> >> There’s probably a better solution than blindly creating a module. >> You need to figure out what the correct SELinux attribute to put on >> the directory so you don’t need a module. > > Yes, I did that. Perhaps the selinux permissions ejabberd is being > installed with are incomplete. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos