Bug 1006593 - splice log rolling sets incorrect permissions
Summary: splice log rolling sets incorrect permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Subscription Asset Manager
Classification: Retired
Component: Splice
Version: 1.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: John Matthews
QA Contact: mkovacik
URL:
Whiteboard:
Depends On:
Blocks: sam13-tracker
TreeView+ depends on / blocked
 
Reported: 2013-09-10 21:24 UTC by Chris Duryee
Modified: 2013-10-01 11:25 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-10-01 11:25:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2013:1390 0 normal SHIPPED_LIVE Release 1.3 of Subscription Asset Manager 2013-10-01 14:43:14 UTC

Description Chris Duryee 2013-09-10 21:24:35 UTC 
Description of problem:

When /var/log/splice/splice.log is rolled, the new permissions are incorrect. For example:

]# ls -Z /var/log/splice
drwxrwxr-x. splice splice system_u:object_r:httpd_sys_rw_content_t:s0 celery
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 general.log
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 spacewalk_splice_tool.log
-rw-r--r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 splice.log
-rw-r--r--. splice splice system_u:object_r:httpd_sys_rw_content_t:s0 splice.log.1
-rw-rw-r--. apache splice unconfined_u:object_r:httpd_sys_rw_content_t:s0 splice.log.2

This causes errors such as this to occur, which only happen after the log gets rolled:

-bash-4.1$ spacewalk-splice-checkin --spacewalk-sync                                     
[Errno 13] Permission denied: '/var/log/splice/splice.log'
Unable to initialize logging config with: /etc/splice/logging/basic.cfg


Version-Release number of selected component (if applicable): 0.40

How reproducible: every time

Steps to Reproduce:
1. run spacewalk-splice-tool --splice-sync enough times for the log to roll over
2. run spacewalk-splice-tool again

Actual results:
permissions error will appear

Expected results:
no errors

Additional info:
we may want to switch to the regular FileHandler instead of RollingFileHandler. Additionally, we may want to switch splice.log's log level to ERROR instead of INFO, to reduce the amount of logging.
Comment 2 John Matthews 2013-09-11 17:43:47 UTC 
We created a new log handler that sets the umask so all newly created log files will be group writeable.  

Additionally, spacewalk-splice-checkin and the splice mod_wsgi app are both already running as the 'splice' group. 

Therefore when new files are created and are group writeable both splice mod_wsgi and spacewalk-splice-checkin will be able to write to this files.


Change to splice.common
https://github.com/splice/splice-server/commit/c5707980388c95994ce59943f5a0e61a11eeb89f

Change to spacewalk-splice-tool
https://github.com/splice/spacewalk-splice-tool/commit/66e6bbfed7f2e84062e65650faa257c2e8068f3b
Comment 3 Vitaly Kuznetsov 2013-09-13 09:41:36 UTC 
Verified with snapshot 6, permissions after rolling are ok:
# ls -la /var/log/splice/s*
-rw-rw-r--. 1 splice splice     4784 Sep 11 12:49 /var/log/splice/spacewalk_splice_tool.log
-rw-rw-r--. 1 apache splice 14399354 Sep 11 08:49 /var/log/splice/spacewalk_splice_tool.log.1
-rw-rw-r--. 1 splice splice     5439 Sep 11 12:49 /var/log/splice/splice.log
-rw-rw-r--. 1 apache splice 14697545 Sep 11 12:46 /var/log/splice/splice.log.1
Comment 5 errata-xmlrpc 2013-10-01 11:25:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1390.html
Note You need to log in before you can comment on or make changes to this bug.