Am 11.04.20 um 05:30 schrieb Russell Coker:
> On Friday, 10 April 2020 9:30:20 PM AEST Michael Biebl wrote:
>>>> Can you find out, how the file was deleted?
>>>
>>> systemd-journald just decided to do it.
>>>
>>> I'll put in an audit entry to get an audit log of it.
>>
>> Any news here?
>
> Yes it's systemd-journald deleting the files.
>
> type=AVC msg=audit(1586512443.135:71139): avc: granted { unlink } for
> pid=293 comm="systemd-journal"
> name="user-1001@165b61313e51499ab58ffd33d611e714-0000000000000000-0000000000000000.journal"
>
> dev="sdb2" ino=2093618 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
> type=AVC msg=audit(1586565837.001:94320): avc: granted { unlink } for
> pid=293 comm="systemd-journal"
> name="user-1001@165b61313e51499ab58ffd33d611e714-0000000000000000-0000000000000000.journal"
>
> dev="sdb2" ino=2095421 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
> Is another user/process accessing the journal file at the time the delete happens?
signature.asc
Description: OpenPGP digital signature
