I have what (should) be a fairly straightforward task:
Migrate a set of custom log files to a database at night.
I use logrotate (cron.daily) with a simple prerotate task
/var/log/myapplog/*.log
{
daily
copytruncate
rotate 366
dateext
dateformat .%Y-%m-%d
compress
missingok
compresscmd /usr/bin/xz
compressoptions -ze9
compressext .xz
prerotate
/usr/local/myapp/bin/DBWriter $1
endscript
}
Unfortunately SELinux doesn't see it that way. If I setenforce 0
then the script runs perfectly. Rotates logs, sends them to the DB, etc.
setenforce 1
, however, returns :
logrotate_script: line 1: /usr/local/myapp/bin/DBWriter: Permission denied
I've tried changing contexts on DBWriter, most recently I set it to unconfined_u:unconfined_r:unconfined_t
which did not work either…
Ideally, I need to keep SELinux enabled. If it matters, DBWriter is also available as a java .jar file. But running java -jar DBWriter.jar
has the same result.
Thanks in advance!
Edit: Win.T's answer below solved the problem for me.
semanage permissive -a logrotate_t
Part of the problem is that I was trying to do exactly what SELinux is designed to prevent: cause process A to execute unknown file B and wreak havoc on system C
Project design considerations and restrictions put us on this path.
Clients don't always want to hear about those fancy buzz words like security and future-proofing.
Best Answer
Look in
/var/log/messages
and/var/log/audit/audit.log
(if you haveauditd
running). You can also useaudit2allow
to view SELinux error messages and possible solutions.Additionally, try
semanage permissive -a logrotate_t
to allow logrotate to run and not be denied by SELinux.