| Summary: | SELinux prevents logrotate to rotate ejabberd logs | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Garri <g.djavadyan> |
| Component: | ejabberd | Assignee: | Peter Lemenkov <lemenkov> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | el6 | CC: | jeremy, lemenkov, randy |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-07 19:59:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Thanks for the bug report Garri! I normally would reassign SELinux tickets to the selinux-policy package in Fedora, but I realized that for EPEL the selinux-policy package is not distributed by EPEL but by Red Hat Enterprise Linux. I suspect that they will not want to support an EPEL package, so I think the right thing is for ejabberd in EPEL to distribute an SELinux policy of its own. I don't have much time in my immediate future to write such a policy, but I'll keep this on my radar for when I have some free time and a hankering for policy writing ☺ If someone wants to take the time to write a policy and attach it to this ticket, that could help us out a lot. Hi Randy,
Thank you for the clarification!
I found that moving the burden to run ejabberdctl to reopen log files from logratate to init script function solves the problem. Below are my local modifications:
--- /root/backup/ejabberd.init 2016-09-20 13:14:44.059706940 +0500
+++ /etc/init.d/ejabberd 2016-09-20 14:17:07.166706547 +0500
@@ -84,6 +84,10 @@
start
}
+reopen-log() {
+ runuser -s /bin/bash - ejabberd -c "/usr/sbin/ejabberdctl reopen-log"
+}
+
# See how we were called.
case "$1" in
start)
@@ -101,8 +105,11 @@
status)
$progctl status
;;
+ reopen-log)
+ reopen-log
+ ;;
*)
- echo "Usage: ejabberd {start|stop|restart|force-reload|condrestart|try-restart|status}"
+ echo "Usage: ejabberd {start|stop|restart|force-reload|condrestart|try-restart|status|reopen-log}"
exit 2
esac
=============
--- /root/backup/ejabberd.logrotate 2016-09-20 14:18:57.763706964 +0500
+++ /etc/logrotate.d/ejabberd 2016-09-20 14:20:32.628706734 +0500
@@ -4,6 +4,6 @@
create 0640 ejabberd ejabberd
sharedscripts
postrotate
- runuser -s /bin/bash - ejabberd -c "/usr/sbin/ejabberdctl reopen-log" >/dev/null 2>/dev/null || true
+ /sbin/service ejabberd reopen-log >/dev/null 2>/dev/null || true
endscript
}
============
Is it possible to adapt the modifications to EPEL repo? Thanks in advance!
It appears that ejabberd is retired in EPEL 6: 2014-12-17: Retired orphaned package, because it was orphaned for more than six weeks. Reference: https://fedorahosted.org/epel/ticket/7 https://admin.fedoraproject.org/pkgdb/package/rpms/ejabberd/ |
Dear developers, SELinux on latest CentOS 6.8 (selinux-policy-3.7.19-292.el6) prevents ejabberd (ejabberd-2.1.13-1.el6) logs rotatation. Below are deny messages from audit.log caught in SE permissive mode: type=AVC msg=audit(1474095241.805:711): avc: denied { write } for pid=16027 comm="ejabberdctl" name="ejabberdctl-1" dev=dm-0 ino=1048646 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1474095241.805:711): avc: denied { open } for pid=16027 comm="ejabberdctl" name="ejabberdctl-1" dev=dm-0 ino=1048646 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1474095241.806:712): avc: denied { lock } for pid=16028 comm="flock" path="/var/lock/ejabberdctl/ejabberdctl-1" dev=dm-0 ino=1048646 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1474095241.845:713): avc: denied { name_bind } for pid=16035 comm="epmd" src=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1474095241.954:714): avc: denied { listen } for pid=16029 comm="beam" laddr=127.0.0.1 lport=39946 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=tcp_socket type=AVC msg=audit(1474095241.955:715): avc: denied { name_connect } for pid=16029 comm="beam" dest=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1474095241.966:716): avc: denied { accept } for pid=16029 comm="beam" laddr=127.0.0.1 lport=39946 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=tcp_socket Thanks in advance! Garri