Centos 6.8 logrotate

[BrianMc]

Hello All - New CentOS x86_64 6.8 vm has logrotate-3.7.8-26.el6_7.x86_64 and getting the following error:

/etc/cron.daily/logrotate:

error: nailswebd:9 unknown option 'su' -- ignoring line
error: nailswebd:9 unexpected text
error: stat of /var/opt/NAI/LinuxShield/log/apache/error_log failed: Permission denied

su directive added to /etc/logrotate.d/nailswebd as directed by McAfee
https://kc.mcafee.com/corporate/index?p ... snspd-1115

Any ideas?

Thanks,
Brian

[TrevorH]

It appears that the su directive is newer than the version of logrotate shipped by CentOS 6 but I'm not sure that matters since, having read your link, it doesn't sound like the correct solution anyway. Run aureport -a as root and look for entries timestamped at about the time that logrotate would have run. At the far right hand end of each of the lines there is a number, take that number and plug it into ausearch -a nnnn where nnnn is the number. Post that output here.

Oh, it might work right out of the box if you can change the log location - /var/opt/NAI/LinuxShield/log/apache/error_log is non-standard and you would be better off moving that under /var/log somewhere instead. That might be enough to make selinux happy and get it working.

[BrianMc]

Output of ausearch -a 578

----
time->Wed Jun 22 03:31:02 2016
type=SYSCALL msg=audit(1466580662.109:578): arch=c000003e syscall=4 success=no exit=-13 a0=8ae720 a1=7fff3e64ddf0 a2=7fff3e64ddf0 a3=f items=0 ppid=6912 pid=6914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=87 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1466580662.109:578): avc: denied { getattr } for pid=6914 comm="logrotate" path="/var/opt/NAI/LinuxShield/log/apache/error_log" dev=sda2 ino=289448 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

[TrevorH]

That pretty much confirms my suspicion: if you move the log file to a subdirectory of /var/log then I think it will just work.

If you cannot move the logfile then you'll need to build an selinux policy module to allow the access that way instead.

Code: Select all

setenforce 0
service auditd rotate

Now recreate the problem so that it logs all selinux denials in permissive mode and then follow the instructions in section 7 of https://wiki.centos.org/HowTos/SELinux though I'd grep the audit log for avc in this case. You'll need to install the policycoreutils-python package to get audit2allow.

Oh, one thing, make sure it works with selinux in permissive mode or I am blaming the wrong thing.

Much easier to move the log file

[BrianMc]

avc_audit.log

Code: Select all

type=AVC msg=audit(1466752862.772:643): avc:  denied  { getattr } for  pid=7726 comm="logrotate" path="/var/opt/NAI/LinuxShield/log/apache/error_log" dev=sda2 ino=287464 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1466752862.997:644): avc:  denied  { getattr } for  pid=7726 comm="logrotate" path="/var/opt/NAI/LinuxShield/log/apache/error_log" dev=sda2 ino=287464 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

audit2allow -M linuxshield < avc_audit.log

cat linuxshield.te

Code: Select all

module linuxshield 1.0;

require {
	type var_t;
	type logrotate_t;
	class file getattr;
}

#============= logrotate_t ==============
allow logrotate_t var_t:file getattr;

semodule -i linuxshield.pp

Resolved logrotate error.

Thanks for your help,
Brian

[TrevorH]

The only trouble with that policy file is that it allows logrotate to write to just about anything under /var.

As I said, the best and easiest solution would be to move the log file from under /var/opt to /var/log and it will just work. Logs are meant to be in the log directory.