SELinux context is wrong after reboot for haproxy logs

Bug #1810422 reported by Cédric Jeanneret on 2019-01-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Medium
Cédric Jeanneret

Bug Description

Hello,

On containerized under/overcloud, the log directory for haproxy has the wrong setype. As this service sends its logs via rsyslog, the following type should be applied to /var/log/containers/haproxy:
var_log_t

But apparently, something sets it back to container_file_t upon reboot, and this prevent rsyslog to write its content as expected.

I therefore see two solutions:
- either find out what is setting up this context, and correct it
- or do the same trick as the "swift" service: /var/log/containers/swift is a symlink to /var/logs/swift

I'd rather do the first one, but I suspect the second solution will be easier to do.

Any thoughts?

> - either find out what is setting up this context, and correct it
I rather do this.

Cédric Jeanneret (cjeanner) wrote :

So, after many thoughts and reflections, I finally found out what's going on:
there's this mount:
docker/services/logrotate-crond.yaml: - /var/log/containers:/var/log/containers:z

This will basically change the context for the containers/ content, hence preventing rsyslog to write in it.

This also mean, if we move the logs outside of this location, we will have to manage the rotation from the host directly. Not sure we want that (although, to be fair, I don't think running logrotate from within a container is a good idea anyway).

Apart from allowing rsyslog to write in container_file_t, I don't see what to do.... ?

Cédric Jeanneret (cjeanner) wrote :

PR has been merged in openstack-selinux. New package will be available shortly for master.

Changed in tripleo:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers