Linux – SELinux + logrotate + prerotate = Permission Denied

logrotateselinux

I have what (should) be a fairly straightforward task:
Migrate a set of custom log files to a database at night.

I use logrotate (cron.daily) with a simple prerotate task

/var/log/myapplog/*.log
{
    daily
    copytruncate
    rotate 366
    dateext
    dateformat .%Y-%m-%d
    compress
    missingok
    compresscmd /usr/bin/xz
    compressoptions -ze9
    compressext .xz
    prerotate
        /usr/local/myapp/bin/DBWriter $1
    endscript
}

Unfortunately SELinux doesn't see it that way. If I setenforce 0 then the script runs perfectly. Rotates logs, sends them to the DB, etc.
setenforce 1, however, returns :

logrotate_script: line 1: /usr/local/myapp/bin/DBWriter: Permission denied

I've tried changing contexts on DBWriter, most recently I set it to unconfined_u:unconfined_r:unconfined_t which did not work either…

Ideally, I need to keep SELinux enabled. If it matters, DBWriter is also available as a java .jar file. But running java -jar DBWriter.jar has the same result.

Thanks in advance!

Edit: Win.T's answer below solved the problem for me.

semanage permissive -a logrotate_t

Part of the problem is that I was trying to do exactly what SELinux is designed to prevent: cause process A to execute unknown file B and wreak havoc on system C

Project design considerations and restrictions put us on this path.

Clients don't always want to hear about those fancy buzz words like security and future-proofing.

Best Answer

Look in /var/log/messages and /var/log/audit/audit.log (if you have auditd running). You can also use audit2allow to view SELinux error messages and possible solutions.

Additionally, try semanage permissive -a logrotate_t to allow logrotate to run and not be denied by SELinux.

Related Solutions

Linux – SELinux denied access

This probably happened after an update of the system, and as temporary file are usually not needed after a reboot, I'd try to delete the file.

fuser /tmp/tmpGTbWYh

With this command you see if the file is used by any process and will give you one or more numbers (Process ID, PID).

No numbers it means the process is not used and you can delete safely the file

rm /tmp/tmpGTbWYh

Do the above with a user that have the rights to do it (your user? root?), you can check this with an ls

ls -l /tmp/tmpGTbWYh

If the file is used by any process you can do a ps and filter by each PID you found with the execution of the fuser

ps -ef | grep $PID

You must substitute $PID with numbers found above (with fuser).

At this point you should decide if you can, identify the aplication is using the file and close it if you can, or kill the process (kill $PID), or delete the file anyway (it maybe be risky).

If you have troubles to decide let us know.

SELinux – Why Do SELinux Policies Apply to Commands from Cronjobs but Not from Command Line?

When cron runs logrotate, SELinux confines it to a logrotate_t "type". That "type" is restricted from modifying other file types (aka "escaping the confinement").

When you run logrotate, you're (most likely) starting from an "unconfined" type, which means what it says -- the logrotate process is permitted to modify files. You might also want logrotate to restart or signal processes (via postrotate, for example); that activity may also be confined by SELinux.

My suggestion here is to tell SELinux to allow ("permit") the logrotate_t type to escape the confinement, with:

semanage permissive -a logrotate_t

Doing so is a moderate solution, in-between turning SELinux off and fine-tuning a policy that allows exactly the confinement escapes that you need (perhaps with custom labeling). To revert this change, use semanage permissive -d logrotate_t.

The best way to simulate a cron-initiated process is to put the jobs into cron. Alternatively, I'm aware of runcon, although I wasn't able to use it successfully.

Best Answer

Related Solutions

Linux – SELinux denied access

SELinux – Why Do SELinux Policies Apply to Commands from Cronjobs but Not from Command Line?

Related Question