CentOS - Feb 2021 - What to do when a selinux policy doesn't work?

Hi,

I'm getting log file entries about ejabberd not being able to remove 
files that were uploaded by client through the file upload facility of 
XMPP.  With the help of audit2allow, I have already created and 
installed some selinux modules to solve such issues, and still files 
can't be expired.

So I used


grep '/srv/data/ejabberd' /var/log/audit/audit.log | audit2allow -w


to find out what might cause this, and the answer is:


type=AVC msg=audit(1606302910.314:2905): avc:  denied  { open } for 
pid=18687 comm="8_dirty_io_sche"
path="/srv/data/ejabberd/[...]"
dev="md100" ino=166 scontext=system_u:system_r:ejabberd_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1

         Was caused by:
                 Unknown - would be allowed by active policy
                 Possible mismatch between this policy and the one under 
which the audit message was generated.

                 Possible mismatch between current in-memory boolean 
settings vs. permanent ones.


I have reloaded the policies with 'semodule -R', and that didn't
change
anything.  The files in question seem to have the correct attributes like:


ls -laZ /srv/data/ejabberd/[...]
-rw-r--r--. 1 ejabberd ejabberd system_u:object_r:var_t:s0 1384362 Nov 
25 12:15 /srv/data/ejabberd/[...]


Ejabberd is supposed to expire files when they are older than desired, 
and selinux prevents it.  How can I solve this problem other than by 
disabling selinux or by deleting the files manually?

On Feb 26, 2021, at 17:16, hw <hw at gc-24.de>
wrote:
> Ejabberd is supposed to expire files when they are older than desired, and
selinux prevents it.  How can I solve this problem other than by disabling
selinux or by deleting the files manually?
It?s possible that you are only capturing part of the process, such as a stat()
before unlink(), so it still fails.  You need to capture the entire process.

Temporarily set it to permissive (setenforce Permissive) and let it do what it
does (is there a way to force it?). Then you should use ausearch to find the
AVCs over the time period when it ran, and pipe that into audit2allow.

HOWEVER...

There?s probably a better solution than blindly creating a module.  You need to
figure out what the correct SELinux attribute to put on the directory so you
don?t need a module.

?
Jonathan Billings

On 2/27/21 3:40 AM, Jonathan Billings wrote:
> On Feb 26, 2021, at 17:16, hw <hw at gc-24.de> wrote:
>> Ejabberd is supposed to expire files when they are older than desired,
and selinux prevents it.  How can I solve this problem other than by disabling
selinux or by deleting the files manually?
> 
> It?s possible that you are only capturing part of the process, such as a
stat() before unlink(), so it still fails.  You need to capture the entire
process.
> 
> Temporarily set it to permissive (setenforce Permissive) and let it do what
it does (is there a way to force it?). Then you should use ausearch to find the
AVCs over the time period when it ran, and pipe that into audit2allow.
Hm, yes, thanks, I tried that ... Now I used ausearch -p to search by 
pid, and I might have found it.  A selinux module was created with the 
output which would allow ejabberd to unlink files and directories of the 
appropriate type, and I installed that.

I thought ejabberd deletes the files when restarting, but apparently it 
doesn't, so I'll have to watch for it in the log file.
> HOWEVER...
> 
> There?s probably a better solution than blindly creating a module.  You
need to figure out what the correct SELinux attribute to put on the directory so
you don?t need a module.
Yes, I did that.  Perhaps the selinux permissions ejabberd is being 
installed with are incomplete.