[CentOS] What to do when a selinux policy doesn't work?

Wed Apr 14 07:19:45 UTC 2021
hw <hw at gc-24.de>

PS: Yes, it finally works, I just saw it in the log file :)

On 4/14/21 9:00 AM, hw wrote:
> On 2/27/21 3:40 AM, Jonathan Billings wrote:
>> On Feb 26, 2021, at 17:16, hw <hw at gc-24.de> wrote:
>>> Ejabberd is supposed to expire files when they are older than 
>>> desired, and selinux prevents it.  How can I solve this problem other 
>>> than by disabling selinux or by deleting the files manually?
>> It’s possible that you are only capturing part of the process, such as 
>> a stat() before unlink(), so it still fails.  You need to capture the 
>> entire process.
>> Temporarily set it to permissive (setenforce Permissive) and let it do 
>> what it does (is there a way to force it?). Then you should use 
>> ausearch to find the AVCs over the time period when it ran, and pipe 
>> that into audit2allow.
> Hm, yes, thanks, I tried that ... Now I used ausearch -p to search by 
> pid, and I might have found it.  A selinux module was created with the 
> output which would allow ejabberd to unlink files and directories of the 
> appropriate type, and I installed that.
> I thought ejabberd deletes the files when restarting, but apparently it 
> doesn't, so I'll have to watch for it in the log file.
>> There’s probably a better solution than blindly creating a module.  
>> You need to figure out what the correct SELinux attribute to put on 
>> the directory so you don’t need a module.
> Yes, I did that.  Perhaps the selinux permissions ejabberd is being 
> installed with are incomplete.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos