Hide Forgot
Dear developers, SELinux on latest CentOS 6.8 (selinux-policy-3.7.19-292.el6) prevents ejabberd (ejabberd-2.1.13-1.el6) logs rotatation. Below are deny messages from audit.log caught in SE permissive mode: type=AVC msg=audit(1474095241.805:711): avc: denied { write } for pid=16027 comm="ejabberdctl" name="ejabberdctl-1" dev=dm-0 ino=1048646 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1474095241.805:711): avc: denied { open } for pid=16027 comm="ejabberdctl" name="ejabberdctl-1" dev=dm-0 ino=1048646 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1474095241.806:712): avc: denied { lock } for pid=16028 comm="flock" path="/var/lock/ejabberdctl/ejabberdctl-1" dev=dm-0 ino=1048646 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1474095241.845:713): avc: denied { name_bind } for pid=16035 comm="epmd" src=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1474095241.954:714): avc: denied { listen } for pid=16029 comm="beam" laddr=127.0.0.1 lport=39946 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=tcp_socket type=AVC msg=audit(1474095241.955:715): avc: denied { name_connect } for pid=16029 comm="beam" dest=4369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1474095241.966:716): avc: denied { accept } for pid=16029 comm="beam" laddr=127.0.0.1 lport=39946 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=tcp_socket Thanks in advance! Garri
Thanks for the bug report Garri! I normally would reassign SELinux tickets to the selinux-policy package in Fedora, but I realized that for EPEL the selinux-policy package is not distributed by EPEL but by Red Hat Enterprise Linux. I suspect that they will not want to support an EPEL package, so I think the right thing is for ejabberd in EPEL to distribute an SELinux policy of its own. I don't have much time in my immediate future to write such a policy, but I'll keep this on my radar for when I have some free time and a hankering for policy writing ☺ If someone wants to take the time to write a policy and attach it to this ticket, that could help us out a lot.
Hi Randy, Thank you for the clarification! I found that moving the burden to run ejabberdctl to reopen log files from logratate to init script function solves the problem. Below are my local modifications: --- /root/backup/ejabberd.init 2016-09-20 13:14:44.059706940 +0500 +++ /etc/init.d/ejabberd 2016-09-20 14:17:07.166706547 +0500 @@ -84,6 +84,10 @@ start } +reopen-log() { + runuser -s /bin/bash - ejabberd -c "/usr/sbin/ejabberdctl reopen-log" +} + # See how we were called. case "$1" in start) @@ -101,8 +105,11 @@ status) $progctl status ;; + reopen-log) + reopen-log + ;; *) - echo "Usage: ejabberd {start|stop|restart|force-reload|condrestart|try-restart|status}" + echo "Usage: ejabberd {start|stop|restart|force-reload|condrestart|try-restart|status|reopen-log}" exit 2 esac ============= --- /root/backup/ejabberd.logrotate 2016-09-20 14:18:57.763706964 +0500 +++ /etc/logrotate.d/ejabberd 2016-09-20 14:20:32.628706734 +0500 @@ -4,6 +4,6 @@ create 0640 ejabberd ejabberd sharedscripts postrotate - runuser -s /bin/bash - ejabberd -c "/usr/sbin/ejabberdctl reopen-log" >/dev/null 2>/dev/null || true + /sbin/service ejabberd reopen-log >/dev/null 2>/dev/null || true endscript } ============ Is it possible to adapt the modifications to EPEL repo? Thanks in advance!
It appears that ejabberd is retired in EPEL 6: 2014-12-17: Retired orphaned package, because it was orphaned for more than six weeks. Reference: https://fedorahosted.org/epel/ticket/7 https://admin.fedoraproject.org/pkgdb/package/rpms/ejabberd/