Hide Forgot
Description of problem: SELinux does not allow logrotate to tell chronyd to reopen log files. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-292.el6.noarch (also: chrony-2.1.1-1.el6.x86_64) How reproducible: Easily. Steps to Reproduce: 1. Make sure SELinux is enabled and enforcing. 2. Install chrony. 3. Enable logging in /etc/chrony.conf (for instance, I wanted to enable the tracking log with "log tracking"). 4. Wait. Actual results: logrotate renames the current log file but the invocation of "chronyc -a cyclelogs" in its postrotate scriptlet fails because chronyc is running as logrotate_t and logrotate_t is not allowed to read chronyd_keys_t files like /etc/chrony.keys. chronyd does not create a new log file and keeps writing to the old one. Here is a sample record of the failure from audit.log: type=AVC msg=audit(1477445821.779:19618): avc: denied { read } for pid=11448 comm="chronyc" name="chrony.keys" dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file type=SYSCALL msg=audit(1477445821.779:19618): arch=c000003e syscall=2 success=no exit=-13 a0=7ffeedc115e0 a1=0 a2=1b6 a3=0 items=0 ppid=11447 pid=11448 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2307 comm="chronyc" exe="/usr/bin/chronyc" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Expected results: chronyd closes the old log file, creates a new one and writes new log messages there. Additional info: Obviously, manual invocations of logrotate running as unconfined_t are not affected.
Could you re-run the scenario in enforcing mode after making the logrotate_t domain permissive? # semanage permissive -a logrotate_t So that we know if there are additional SELinux denials. # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
[root@xxxxx ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today ---- type=SYSCALL msg=audit(11/26/2016 03:29:01.799:3867) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7fff2ddd55a0 a1=O_RDONLY a2=0x1b6 a3=0x0 items=0 ppid=16372 pid=16373 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=592 comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/26/2016 03:29:01.799:3867) : avc: denied { open } for pid=16373 comm=chronyc name=chrony.keys dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file type=AVC msg=audit(11/26/2016 03:29:01.799:3867) : avc: denied { read } for pid=16373 comm=chronyc name=chrony.keys dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file ---- type=SYSCALL msg=audit(11/26/2016 03:29:01.799:3868) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7fff2ddd5400 a2=0x7fff2ddd5400 a3=0x0 items=0 ppid=16372 pid=16373 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=592 comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/26/2016 03:29:01.799:3868) : avc: denied { getattr } for pid=16373 comm=chronyc path=/etc/chrony.keys dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html