What To Do When A Selinux Policy Doesn’t Work?

Home » CentOS » What To Do When A Selinux Policy Doesn’t Work?
CentOS 3 Comments

Hi,

I’m getting log file entries about ejabberd not being able to remove files that were uploaded by client through the file upload facility of XMPP. With the help of audit2allow, I have already created and installed some selinux modules to solve such issues, and still files can’t be expired.

So I used

grep ‘/srv/data/ejabberd’ /var/log/audit/audit.log | audit2allow -w

to find out what might cause this, and the answer is:

type=AVC msg=audit(1606302910.314:2905): avc: denied { open } for pid687 comm=”8_dirty_io_sche” path=”/srv/data/ejabberd/[…]”
dev=”md100″ ino6 scontext=system_u:system_r:ejabberd_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1

Was caused by:
Unknown – would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

I have reloaded the policies with ‘semodule -R’, and that didn’t change anything. The files in question seem to have the correct attributes like:

ls -laZ /srv/data/ejabberd/[…]
-rw-r–r–. 1 ejabberd ejabberd system_u:object_r:var_t:s0 1384362 Nov
25 12:15 /srv/data/ejabberd/[…]

Ejabberd is supposed to expire files when they are older than desired, and selinux prevents it. How can I solve this problem other than by disabling selinux or by deleting the files manually?

3 thoughts on - What To Do When A Selinux Policy Doesn’t Work?

  • It’s possible that you are only capturing part of the process, such as a stat() before unlink(), so it still fails. You need to capture the entire process.

    Temporarily set it to permissive (setenforce Permissive) and let it do what it does (is there a way to force it?). Then you should use ausearch to find the AVCs over the time period when it ran, and pipe that into audit2allow.

    HOWEVER…

    There’s probably a better solution than blindly creating a module. You need to figure out what the correct SELinux attribute to put on the directory so you don’t need a module.


    Jonathan Billings

  • Hm, yes, thanks, I tried that … Now I used ausearch -p to search by pid, and I might have found it. A selinux module was created with the output which would allow ejabberd to unlink files and directories of the appropriate type, and I installed that.

    I thought ejabberd deletes the files when restarting, but apparently it doesn’t, so I’ll have to watch for it in the log file.

    Yes, I did that. Perhaps the selinux permissions ejabberd is being installed with are incomplete.