logrotate fails on RHEL 7 due to selinux issue

Bug #1420690 reported by Ken Snider
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Invalid
Undecided
Unassigned
5.5
Expired
Undecided
Unassigned
5.6
Invalid
Undecided
Unassigned

Bug Description

logrotate is unable to rotate the mysqld.log file under RHEL7, due to SELinux permissions.

When /etc/logrotate.d/mysql runs, it generates the following AVC:

type=AVC msg=audit(1423644001.267:419232): avc: denied { getattr } for pid=30195 comm="logrotate" path="/var/lib/mysql/mysqld.log" dev="dm-2" ino=402655238 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=file

This prevents the log from rotating successfully.

Tags: pkg
tags: added: pkg
Changed in percona-server:
assignee: nobody → Muhammad Irfan (muhammad-irfan)
Revision history for this message
Nilnandan Joshi (nilnandan-joshi) wrote :
Download full text (4.7 KiB)

Could not reproduce this with RHEL 7. Can you provide the output of sestatus?

[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]#

[root@localhost ~]# logrotate -v -f /etc/logrotate.d/mysql
reading config file /etc/logrotate.d/mysql

Handling 1 logs

rotating pattern: /var/lib/mysql/mysqld.log forced from command line (5 rotations)
empty log files are not rotated, old logs are removed
considering log /var/lib/mysql/mysqld.log
  log needs rotating
rotating log /var/lib/mysql/mysqld.log, log->rotateCount is 5
dateext suffix '-20150313'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/lib/mysql/mysqld.log.5.gz to /var/lib/mysql/mysqld.log.6.gz (rotatecount 5, logstart 1, i 5),
old log /var/lib/mysql/mysqld.log.5.gz does not exist
renaming /var/lib/mysql/mysqld.log.4.gz to /var/lib/mysql/mysqld.log.5.gz (rotatecount 5, logstart 1, i 4),
old log /var/lib/mysql/mysqld.log.4.gz does not exist
renaming /var/lib/mysql/mysqld.log.3.gz to /var/lib/mysql/mysqld.log.4.gz (rotatecount 5, logstart 1, i 3),
old log /var/lib/mysql/mysqld.log.3.gz does not exist
renaming /var/lib/mysql/mysqld.log.2.gz to /var/lib/mysql/mysqld.log.3.gz (rotatecount 5, logstart 1, i 2),
old log /var/lib/mysql/mysqld.log.2.gz does not exist
renaming /var/lib/mysql/mysqld.log.1.gz to /var/lib/mysql/mysqld.log.2.gz (rotatecount 5, logstart 1, i 1),
old log /var/lib/mysql/mysqld.log.1.gz does not exist
renaming /var/lib/mysql/mysqld.log.0.gz to /var/lib/mysql/mysqld.log.1.gz (rotatecount 5, logstart 1, i 0),
old log /var/lib/mysql/mysqld.log.0.gz does not exist
log /var/lib/mysql/mysqld.log.6.gz doesn't exist -- won't try to dispose of it
fscreate context set to system_u:object_r:mysqld_db_t:s0
renaming /var/lib/mysql/mysqld.log to /var/lib/mysql/mysqld.log.1
running postrotate script
compressing log with: /bin/gzip
set default create context
[root@localhost ~]#
[root@localhost ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1426241282.297:431): avc: denied { getattr } for pid=4136 comm="mysqld_safe" path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=5013 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1426241282.297:431): arch=c000003e syscall=4 success=no exit=-13 a0=7fdd40 a1=7fff740b4f30 a2=7fff740b4f30 a3=8 items=0 ppid=1 pid=4136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/usr/bin/bash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
type=SERVICE_START msg=audit(1426241285.099:432): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="mysqld" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1426241401.496:433): pid=4387 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1426241401.497:434): pid=4387 uid=0 auid=4294967295...

Read more...

Revision history for this message
Ken Snider (ksnider-s) wrote :

Sure, though it matches yours:

# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Thanks.

Revision history for this message
Ken Snider (ksnider-s) wrote :

This appears to have been corrected in a recent release, likely between feb and march.

Thanks.

Revision history for this message
Valerii Kravchuk (valerii-kravchuk) wrote :

Thank you for status update.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Percona Server 5.5 because there has been no activity for 60 days.]

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3261

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.