[CentOS] What to do when a selinux policy doesn't work?

Fri Feb 26 22:15:57 UTC 2021
hw <hw at gc-24.de>


I'm getting log file entries about ejabberd not being able to remove 
files that were uploaded by client through the file upload facility of 
XMPP.  With the help of audit2allow, I have already created and 
installed some selinux modules to solve such issues, and still files 
can't be expired.

So I used

grep '/srv/data/ejabberd' /var/log/audit/audit.log | audit2allow -w

to find out what might cause this, and the answer is:

type=AVC msg=audit(1606302910.314:2905): avc:  denied  { open } for 
pid=18687 comm="8_dirty_io_sche" path="/srv/data/ejabberd/[...]" 
dev="md100" ino=166 scontext=system_u:system_r:ejabberd_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1

         Was caused by:
                 Unknown - would be allowed by active policy
                 Possible mismatch between this policy and the one under 
which the audit message was generated.

                 Possible mismatch between current in-memory boolean 
settings vs. permanent ones.

I have reloaded the policies with 'semodule -R', and that didn't change 
anything.  The files in question seem to have the correct attributes like:

ls -laZ /srv/data/ejabberd/[...]
-rw-r--r--. 1 ejabberd ejabberd system_u:object_r:var_t:s0 1384362 Nov 
25 12:15 /srv/data/ejabberd/[...]

Ejabberd is supposed to expire files when they are older than desired, 
and selinux prevents it.  How can I solve this problem other than by 
disabling selinux or by deleting the files manually?