Proxysql: SELinux Denied for Logroate

Created on 14 Sep 2017  路  2Comments  路  Source: sysown/proxysql

On CentOS 7, logrotate is denied by SELinux when called from the daily cron (works fine if run manually). Should the log files in /var/lib/proxysql have a different type or should there be a SELinux module specific to proxysql?

grep logrotate /var/log/audit/audit.log.1 | audit2why
type=AVC msg=audit(1505287621.841:1085659): avc:  denied  { write } for  pid=5831 comm="logrotate" name="proxysql_node_monitor.log" dev="dm-0" ino=591580 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1505287621.841:1085660): avc:  denied  { write } for  pid=5831 comm="logrotate" name="proxysql_galera_check.log" dev="dm-0" ino=591581 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.
ls -lZ /var/lib/proxysql/
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0   proxysql.db
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0   proxysql_galera_check.log
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0   proxysql_galera_check.log.1.gz
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0   proxysql.log
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0   proxysql_node_monitor.log
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0   proxysql_node_monitor.log.1.gz
-rw-r--r--. proxysql proxysql system_u:object_r:var_lib_t:s0   proxysql.pid

Most helpful comment

+1 for this issue on CentOS 7.4.

Manually changing type to var_log_t makes logrotate work properly.
I think the proper solution is moving the logs to /var/log/.

All 2 comments

+1 for this issue on CentOS 7.4.

Manually changing type to var_log_t makes logrotate work properly.
I think the proper solution is moving the logs to /var/log/.

Agree with @fchiacchiaretta here - logs should be in /var/log/proxysql

Was this page helpful?
0 / 5 - 0 ratings

Related issues

andreygolev picture andreygolev  路  20Comments

leeparayno picture leeparayno  路  16Comments

vlanse picture vlanse  路  31Comments

everpcpc picture everpcpc  路  20Comments

ghost picture ghost  路  20Comments