UPDATE:
figured out the issue, its with my fcontext path expression
I have to use
semanage fcontext -a -t logrotate_tmp_t "/etc/httpd/logs(./*)?"
instead of
semanage fcontext -a -t logrotate_tmp_t "/etc/httpd/logs/*"
and -t httpd_log_t also works
I think the questions that remain
- Where can I find the documentation reference to the expression? and will it be version specific?
- is there any
man command to show these kind of selinux file context related help content on the server? I checked seinfo and sesearch was not installed on that server, do I simply have to install them?
ORIGINAL:
I have a server in AWS running SELinux, been trying to configure httpd log rotation.
sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from conif files: enforcing
Policy version: 24
Policy from config file: targeted
logrotate can't seem to work properly on httpd logs
Manually running logrotate and logrotate -f as root works. I tried it with logrotate -d it does read the logrotate.status and retrieve last date correctly. But when its put to cron.daily/logrotate, the rotation does not happen and I receive mail in /var/mail/root that
/etc/cron.daily/logrotate:
error: unable to open /etc/httpd/logs/access_log-yyyymmdd for compression
or sometimes
error: error opening /etc/httpd/logs/access_log: Permission denied
ls -Z in the path yields below
~cd /etc/httpd
~ls -dZ logs
dxwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 logs
~ls -Z logs
-rw-r--r--. root unconfined_u:object_r:httpd_config_t:s0 access_log
I was having difficulty determining what file contexts to and how to put it to the folder and files
man logrotate does not mention what contexts it needs, and date of manual is 2022
man semanage date of manual is 2010
reading https://linux.die.net/man/8/logrotate_selinux, the only appropriate file context seems to be logrotate_tmp_t, so I tried to add it
semanage fcontext -a -t logrotate_tmp_t /etc/httpd/logs/*
restorecon -v /etc/httpd/logs/*
but restorecon did not produce any output, not even without * or /
checked semanage fcontext -l with grep -n
685:/etc/httpd(/.*)? all files system_u:object_r:httpd_config_t:s0
2928:/etc/httpd/logs all files system_u:object_r:httpd_log_t:s0
4642:/etc/httpd/logs/* all files system_u:object_r:logrotate_tmp_t:s0
and I read that lines come later should take precendence, however that does not seems the case, as seen in the ls -Z output above. I also tried to give the logs folder var_log_t context as a workaround (same context as /var/log) but it also does not show in ls -Z.
I even tried semanage fcontext -C -l in the logs folder, and only the entry /etc/httpd/logs/* all files system_u:object_r:logrotate_tmp_t:s0 came up
I am confused whether if this is due to the selinux and logrotate version being too old? would want to know.
- If there is a correct way invoke the selinus related manual of logrotate on the machine? man logrotate_ tab does not show any available options
- Did I understand the selinux file context precedence correctly?
- Is this an old version issue?
- does the context type given by
fcontext -l matter? choices are "all files, regular file, directory, symbolic link etc"
- and if the context type matters, how do I set it in the command?
semanage -v showed that its in the Object-specific Opions, -f specifies file type of object, "" is all files, -- is regular file, -d is directory, but wherever I insert it in the semanage fcontext -a -t type files command, it always give me semange: bad option
- What is my actual issue
