On CentOS 7, logrotate is denied by SELinux when called from the daily cron (works fine if run manually). Should the log files in /var/lib/proxysql have a different type or should there be a SELinux module specific to proxysql?
grep logrotate /var/log/audit/audit.log.1 | audit2why
type=AVC msg=audit(1505287621.841:1085659): avc: denied { write } for pid=5831 comm="logrotate" name="proxysql_node_monitor.log" dev="dm-0" ino=591580 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1505287621.841:1085660): avc: denied { write } for pid=5831 comm="logrotate" name="proxysql_galera_check.log" dev="dm-0" ino=591581 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
ls -lZ /var/lib/proxysql/
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0 proxysql.db
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0 proxysql_galera_check.log
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0 proxysql_galera_check.log.1.gz
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0 proxysql.log
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0 proxysql_node_monitor.log
-rw-------. proxysql proxysql system_u:object_r:var_lib_t:s0 proxysql_node_monitor.log.1.gz
-rw-r--r--. proxysql proxysql system_u:object_r:var_lib_t:s0 proxysql.pid
+1 for this issue on CentOS 7.4.
Manually changing type to var_log_t makes logrotate work properly.
I think the proper solution is moving the logs to /var/log/.
Agree with @fchiacchiaretta here - logs should be in /var/log/proxysql
Most helpful comment
+1 for this issue on CentOS 7.4.
Manually changing type to var_log_t makes logrotate work properly.
I think the proper solution is moving the logs to /var/log/.