Bug 1426600
| Summary: | /etc/logrotate.d/rabbitmq-server leads to "Password: su: Authentication failure" | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | rabbitmq-server | Assignee: | Peter Lemenkov <lemenkov> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | aizmaylov, bugzilla, djschaap, erinn.looneytriggs, erlang, hajek, hubert.plociniczak, jeckersb, josh, lemenkov, rjones, robert.scheck, s, tsharpe, vogt |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-07-08 22:29:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1413775 | ||
| Bug Blocks: | |||
|
Description
Robert Scheck
2017-02-24 12:30:40 UTC
Same here. The problem is the su in the rabbitmqctl script. To reproduce you can set up a simple cron job:
/etc/cron.d/test:
* * * * * root /root/test.sh
/root/test.sh:
#! /bin/bash
echo "id: `id`"
echo "id -r -u: `id -r -u`"
echo "id -r -g: `id -r -g`"
su rabbitmq -s /bin/sh -c "id"
---------
Set context of test.sh to system_u:object_r:logrotate_exec_t:s0.
Output of cronjob:
id: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:logrotate_t:s0-s0:c0.c1023
id -r -u: 0
id -r -g: 0
Password: su: Authentication information cannot be recovered
---------
audit.log contains:
type=USER_AVC msg=audit(1488708062.169:189724): pid=21967 uid=0 auid=0 ses=5787 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc: denied { passwd } for scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
---------
This happens even if a local policy has been added to allow it:
# audit2allow < /var/log/audit/audit.log
#============= logrotate_t ==============
#!!!! This avc is allowed in the current policy
allow logrotate_t self:passwd passwd;
---------
I have modified /etc/pam.d/su to enable debug output for rootok:
auth sufficient pam_rootok.so debug
and /var/log/secure also contains the following message then:
su: pam_rootok(su:auth): root check failed
If the test script is bin_t instead of logrotate_exec_t it works.
sudo instead of su also works.
Thus, either selinux needs to be adjusted or the rabbitmqctl script should use sudo instead of su to change from root to rabbitmq user.
Hi Redhat We also met the same problem. CentOS Linux release 7.3.1611 Kernel 4.12.8-1.el7.elrepo.x86_64 Rabbitmq-server 3.6.9-1 E-mail from logrotate: ======================================================== To: "root@pm-mq-02" <root@pm-mq-02> Subject: Anacron job 'cron.daily' on pm-mq-02 /etc/cron.daily/logrotate: Password: su: Authentication failure error: error running shared postrotate script for '/var/log/rabbitmq/*.log ' ======================================================== Hi, are there any news about an new package, that will fix it? EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |