Bug 1006593

Summary: splice log rolling sets incorrect permissions
Product: [Retired] Subscription Asset Manager Reporter: Chris Duryee <cduryee>
Component: SpliceAssignee: John Matthews <jmatthew>
Status: CLOSED ERRATA QA Contact: mkovacik
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.3CC: bkearney, jmatthew, vkuznets
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-01 11:25:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 833466    

Description Chris Duryee 2013-09-10 21:24:35 UTC 
Description of problem:

When /var/log/splice/splice.log is rolled, the new permissions are incorrect. For example:

]# ls -Z /var/log/splice
drwxrwxr-x. splice splice system_u:object_r:httpd_sys_rw_content_t:s0 celery
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 general.log
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 spacewalk_splice_tool.log
-rw-r--r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 splice.log
-rw-r--r--. splice splice system_u:object_r:httpd_sys_rw_content_t:s0 splice.log.1
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 splice.log.2

This causes errors such as this to occur, which only happen after the log gets rolled:

-bash-4.1$ spacewalk-splice-checkin --spacewalk-sync                                     
[Errno 13] Permission denied: '/var/log/splice/splice.log'
Unable to initialize logging config with: /etc/splice/logging/basic.cfg


Version-Release number of selected component (if applicable): 0.40

How reproducible: every time

Steps to Reproduce:
1. run spacewalk-splice-tool --splice-sync enough times for the log to roll over
2. run spacewalk-splice-tool again

Actual results:
permissions error will appear

Expected results:
no errors

Additional info:
we may want to switch to the regular FileHandler instead of RollingFileHandler. Additionally, we may want to switch splice.log's log level to ERROR instead of INFO, to reduce the amount of logging.
Comment 2 John Matthews 2013-09-11 17:43:47 UTC 
We created a new log handler that sets the umask so all newly created log files will be group writeable.  

Additionally, spacewalk-splice-checkin and the splice mod_wsgi app are both already running as the 'splice' group. 

Therefore when new files are created and are group writeable both splice mod_wsgi and spacewalk-splice-checkin will be able to write to this files.


Change to splice.common
https://github.com/splice/splice-server/commit/c5707980388c95994ce59943f5a0e61a11eeb89f

Change to spacewalk-splice-tool
https://github.com/splice/spacewalk-splice-tool/commit/66e6bbfed7f2e84062e65650faa257c2e8068f3b
Comment 3 Vitaly Kuznetsov 2013-09-13 09:41:36 UTC 
Verified with snapshot 6, permissions after rolling are ok:
# ls -la /var/log/splice/s*
-rw-rw-r--. 1 splice splice     4784 Sep 11 12:49 /var/log/splice/spacewalk_splice_tool.log
-rw-rw-r--. 1 apache splice 14399354 Sep 11 08:49 /var/log/splice/spacewalk_splice_tool.log.1
-rw-rw-r--. 1 splice splice     5439 Sep 11 12:49 /var/log/splice/splice.log
-rw-rw-r--. 1 apache splice 14697545 Sep 11 12:46 /var/log/splice/splice.log.1
Comment 5 errata-xmlrpc 2013-10-01 11:25:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1390.html