Bug 1422424
Summary: | error creating output file /var/lib/logrotate.status.tmp: Permission denied | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Karl Latiss <karl+rhbugzilla> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 7.5-Alt | CC: | cww, karl+rhbugzilla, lvrabec, mgrepl, mikemol, mmalik, monotek23, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 10:00:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1477664 |
Description
Karl Latiss
2017-02-15 10:21:10 UTC
Could you collect SELinux denials, which appear as a result of "error: error creating output file /var/lib/logrotate.status.tmp: Permission denied", and attach them here? # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Thank you. $ sudo ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 00:01:01.563:7150) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 00:01:01.563:7150) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 00:01:01.563:7150) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 00:01:01.563:7150) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xa28310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=15855 pid=15857 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=40 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 00:01:01.563:7150) : avc: denied { create } for pid=15857 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 01:01:01.665:7210) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 01:01:01.665:7210) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 01:01:01.665:7210) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 01:01:01.665:7210) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1ae7310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16087 pid=16089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=42 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 01:01:01.665:7210) : avc: denied { create } for pid=16089 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 02:01:01.768:7513) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 02:01:01.768:7513) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 02:01:01.768:7513) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 02:01:01.768:7513) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1474310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16567 pid=16569 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=46 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 02:01:01.768:7513) : avc: denied { create } for pid=16569 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:01:01.856:7535) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:01:01.856:7535) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 03:01:01.856:7535) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 03:01:01.856:7535) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x103d310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16749 pid=16751 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=47 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:01:01.856:7535) : avc: denied { create } for pid=16751 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:32:01.863:7544) : item=0 name=/etc/cron.daily/man-db.cron objtype=UNKNOWN node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 03:32:01.863:7544) : cwd=/ node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 03:32:01.863:7544) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x24cf160 a1=O_RDONLY a2=0x6e6f72 a3=0x3 items=1 ppid=16838 pid=16848 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=47 comm=man-db.cron exe=/usr/bin/bash subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:32:01.863:7544) : avc: denied { dac_read_search } for pid=16848 comm=man-db.cron capability=dac_read_search scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tclass=capability node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:32:01.863:7544) : avc: denied { dac_override } for pid=16848 comm=man-db.cron capability=dac_override scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tclass=capability ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 04:01:01.941:7556) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 04:01:01.941:7556) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 04:01:01.941:7556) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 04:01:01.941:7556) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xb21310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16957 pid=16959 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=48 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 04:01:01.941:7556) : avc: denied { create } for pid=16959 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 05:01:02.028:7574) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 05:01:02.028:7574) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 05:01:02.028:7574) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 05:01:02.028:7574) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x17cc310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17156 pid=17158 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=49 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 05:01:02.028:7574) : avc: denied { create } for pid=17158 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 06:01:01.113:7592) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 06:01:01.113:7592) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 06:01:01.113:7592) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 06:01:01.113:7592) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x12d0310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17331 pid=17333 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=50 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 06:01:01.113:7592) : avc: denied { create } for pid=17333 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 07:01:01.198:7612) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 07:01:01.198:7612) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 07:01:01.198:7612) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 07:01:01.198:7612) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x25e2310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17509 pid=17511 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=51 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 07:01:01.198:7612) : avc: denied { create } for pid=17511 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 08:01:01.284:7630) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 08:01:01.284:7630) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 08:01:01.284:7630) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 08:01:01.284:7630) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1f00310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17708 pid=17710 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=52 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 08:01:01.284:7630) : avc: denied { create } for pid=17710 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 09:01:01.365:7650) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 09:01:01.365:7650) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 09:01:01.365:7650) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 09:01:01.365:7650) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x20b5310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17886 pid=17888 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=53 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 09:01:01.365:7650) : avc: denied { create } for pid=17888 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=USER_AVC msg=audit(15/02/17 09:45:55.665:12241) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 10:01:01.454:12247) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 10:01:01.454:12247) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 10:01:01.454:12247) : cwd=/root node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 10:01:01.454:12247) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xb88310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=18107 pid=18109 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=55 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 10:01:01.454:12247) : avc: denied { create } for pid=18109 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file Could you paste here the output of following 2 commands executed on your machine? # sesearch -s logrotate_t -t var_lib_t -T Found 1 semantic te rules: type_transition logrotate_t var_lib_t : file logrotate_var_lib_t; # sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C Found 1 semantic av rules: allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; # The sesearch tool comes from setools-console package. I have similar symptoms on a slightly older version of CentOS 7. I have systems that work fine (, and systems that don't. The systems that don't work fine, I had selectively run "yum update logrotate" on them. I started getting "error: error creating state file /var/lib/logrotate/logrotate.status: Permission denied" errors in my emails. Checking SELinux, I found "type=AVC msg=audit(1488962942.318:4517026): avc: denied { write } for pid=14985 comm="logrotate" name="logrotate.status" dev="vda2" ino=349 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file" SELinux context on a system where it works: <pre>-rw-r--r--. root root system_u:object_r:logrotate_var_lib_t:s0 /var/lib/logrotate/logrotate.status</pre> SELinux context on a system where it does not: <pre>-rw-r--r--. root root system_u:object_r:var_lib_t:s0 /var/lib/logrotate/logrotate.status</pre> Googling for similar issues, I found reports that removing the file may fix the issue, but it did not (at least for me). Reinstalling the package also did not help. I did discover that the parent directory to the logrotate.status file has the same context as the file itself, so I suspect the file is inheriting the parent directory's context upon creation. I've now removed the parent directory on the affected hosts and am attempting a reinstall, to see if the context changes. Per the sesearch needinfo, here is my output: <pre># sesearch -s logrotate_t -t var_lib_t -T Found 1 semantic te rules: type_transition logrotate_t var_lib_t : file logrotate_var_lib_t; # sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C Found 1 semantic av rules: allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;</pre> Ignore my comment. updating selinux-policy resolved my issue. Apologies for the delay. $ sudo sesearch -s logrotate_t -t var_lib_t -T Found 1 semantic te rules: type_transition logrotate_t var_lib_t : file logrotate_var_lib_t; $ sudo sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C Found 1 semantic av rules: allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; It seems that this is not a bug after all. The issue related to a logrotate cron configuration script incorrectly deployed via configuration management. It was using an older (RHEL 6) config entry. So how to fix it? semanage fcontext -a -t logrotate_var_lib_t /var/lib/logrotate.status.tmp restorecon /var/lib/logrotate.status.tmp Gives me: restorecon: lstat(/var/lib/logrotate.status.tmp) failed: No such file or directory Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |