Bug 219767

Summary: Logrotate can not rotate files on non-selinux filesystem
Product: Red Hat Enterprise Linux 4 Reporter: Göran Uddeborg <goeran>
Component: logrotateAssignee: Tomas Smetana <tsmetana>
Status: CLOSED ERRATA QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: dwalsh, mmalik, sgrubb, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0703 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-24 19:52:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2006-12-15 10:00:15 UTC 
Description of problem:
Using logrotate to rotate files on a file system that does not support file
contexts fails.

Version-Release number of selected component (if applicable):
logrotate-3.7.1-5.RHEL4

How reproducible:
Every time

Steps to Reproduce:
1.Mount an NFS filesystem
2.Set up logrotate to rotate a file on this filesystem
3.Run logrotate with this configuration

Actual results:
I get an error message:
   error: error getting file context /users/uddeborg/post/SPAM: Operation not
supported

And the log file is not rotated.

Expected results:
The file ought to be rotated.

Additional info:
Logrotate test if selinux is active.  If it is in enforcing mode, it is
considered an error if getfilecon() fails, and the rotation is aborted.  The
mistake in this logic is to assume that if a system is in SELinux enforcing
mode, then all files will have attributes.

Rotation options are not considered.  The bug is triggered even if the log is
rotated in a way that would not create any new file.
Comment 2 Daniel Walsh 2007-01-08 17:11:39 UTC 
What avc messages are you seeing?
Comment 3 Göran Uddeborg 2007-01-10 12:55:34 UTC 
I don't get any avc messages.  SELinux is not stopping logrotate from doing its job.

Rather (as indicated in comment 0) logrotate aborts if getfilecon() fails.  It
should not do that, at least not when the reason is ENOTSUP.
Comment 4 Daniel Walsh 2007-01-10 21:18:10 UTC 
That seems reasonable to me.
Comment 5 Peter Vrabec 2007-01-14 12:34:00 UTC 
I have changed it:
-                       if (selinux_enforce) {
+                       if (selinux_enforce && errno != ENOTSUP) {
                                return 1;
                        }

Could you test this package, please.
http://people.redhat.com/pvrabec/rpms/logrotate-3.7.1-7.src.rpm
Comment 6 Göran Uddeborg 2007-01-17 12:24:48 UTC 
It seems to rotate as expected.

I still get an error message, which is somewhat confusing.  I would suggest
moving that too within an ENOTSUP test.  At least it should not be a message on
the MESS_ERROR level in the ENOTSUP case.

But the rotation as such works correctly as far as I can tell!
Comment 7 Peter Vrabec 2007-01-18 13:10:26 UTC 
Oooops, I just see this bug is fixed in rhel5, fc6.
Comment 8 RHEL Program Management 2007-11-29 04:22:52 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 14 errata-xmlrpc 2008-07-24 19:52:10 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0703.html