Bug 1006593 - splice log rolling sets incorrect permissions
splice log rolling sets incorrect permissions
Product: Subscription Asset Manager
Classification: Red Hat
Component: Splice (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: John Matthews
Depends On:
Blocks: sam13-tracker
  Show dependency treegraph
Reported: 2013-09-10 17:24 EDT by Chris Duryee
Modified: 2013-10-01 07:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-01 07:25:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2013:1390 normal SHIPPED_LIVE Release 1.3 of Subscription Asset Manager 2013-10-01 10:43:14 EDT

  None (edit)
Description Chris Duryee 2013-09-10 17:24:35 EDT
Description of problem:

When /var/log/splice/splice.log is rolled, the new permissions are incorrect. For example:

]# ls -Z /var/log/splice
drwxrwxr-x. splice splice system_u:object_r:httpd_sys_rw_content_t:s0 celery
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 general.log
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 spacewalk_splice_tool.log
-rw-r--r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 splice.log
-rw-r--r--. splice splice system_u:object_r:httpd_sys_rw_content_t:s0 splice.log.1
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 splice.log.2

This causes errors such as this to occur, which only happen after the log gets rolled:

-bash-4.1$ spacewalk-splice-checkin --spacewalk-sync                                     
[Errno 13] Permission denied: '/var/log/splice/splice.log'
Unable to initialize logging config with: /etc/splice/logging/basic.cfg

Version-Release number of selected component (if applicable): 0.40

How reproducible: every time

Steps to Reproduce:
1. run spacewalk-splice-tool --splice-sync enough times for the log to roll over
2. run spacewalk-splice-tool again

Actual results:
permissions error will appear

Expected results:
no errors

Additional info:
we may want to switch to the regular FileHandler instead of RollingFileHandler. Additionally, we may want to switch splice.log's log level to ERROR instead of INFO, to reduce the amount of logging.
Comment 2 John Matthews 2013-09-11 13:43:47 EDT
We created a new log handler that sets the umask so all newly created log files will be group writeable.  

Additionally, spacewalk-splice-checkin and the splice mod_wsgi app are both already running as the 'splice' group. 

Therefore when new files are created and are group writeable both splice mod_wsgi and spacewalk-splice-checkin will be able to write to this files.

Change to splice.common

Change to spacewalk-splice-tool
Comment 3 Vitaly Kuznetsov 2013-09-13 05:41:36 EDT
Verified with snapshot 6, permissions after rolling are ok:
# ls -la /var/log/splice/s*
-rw-rw-r--. 1 splice splice     4784 Sep 11 12:49 /var/log/splice/spacewalk_splice_tool.log
-rw-rw-r--. 1 apache splice 14399354 Sep 11 08:49 /var/log/splice/spacewalk_splice_tool.log.1
-rw-rw-r--. 1 splice splice     5439 Sep 11 12:49 /var/log/splice/splice.log
-rw-rw-r--. 1 apache splice 14697545 Sep 11 12:46 /var/log/splice/splice.log.1
Comment 5 errata-xmlrpc 2013-10-01 07:25:22 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.