EL8: SElinux / Dac_override / Tmpwatch

Home » CentOS » EL8: SElinux / Dac_override / Tmpwatch
CentOS 2 Comments

Hi, I’m moving some old stuff from EL6 to EL8 and one setup has a cron job which uses “tmpwatch -umc $dir” to clean some directories
(/etc/cron.daily/tmpwatch). It seems that this triggers this AVC
(SElinux mode is enforcing):

type=AVC msg=audit(1598576896.772:4267): avc: denied { dac_override }
for pid013 comm=”tmpwatch” capability=1
scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tclass

2 thoughts on - EL8: SElinux / Dac_override / Tmpwatch

  • Am 29.08.20 um 01:56 schrieb Jonathan Billings:

    Thanks, it seems that this migration will take more time :-).

    Okay, systemd-tmpfiles is a reasonable solution for one scenario here but some questions still persists for a second one:

    As you see – the next clean up will be in 23h

    # systemctl status systemd-tmpfiles-clean.timer

    ● systemd-tmpfiles-clean.timer – Daily Cleanup of Temporary Directories
    Loaded: loaded
    (/usr/lib/systemd/system/systemd-tmpfiles-clean.timer; static; vendor preset: disabled)
    Active: active (waiting) since Sat 2020-08-29 21:53:11 CEST; 53min ago
    Trigger: Sun 2020-08-30 22:07:52 CEST; 23h left
    Docs: man:tmpfiles.d(5)
    man:systemd-tmpfiles(8)

    # systemctl list-timers

    NEXT LEFT LAST
    PASSED UNIT ACTIVATES
    Sun 2020-08-30 22:07:52 CEST 23h left Sat 2020-08-29 22:07:52 CEST
    39min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

    What triggers cleanups that must be done every hour for example?

    # cat /usr/lib/tmpfiles.d/app-tmp.conf e /srv/app/*/tmp – – – 1h

    # man tmpfiles.d

    is mentioning (m)minutes, (s)econds and even us (microseconds).

    Do I need to override the systemd-tmpfiles-clean.timer unit?

    # systemctl cat systemd-tmpfiles-clean.timer

    [Timer]
    OnBootSec=15min OnUnitActiveSec=1d

    It seems that this is more prepared for daily clean ups?


    Leon