1422424 – error creating output file /var/lib/logrotate.status.tmp: Permission denied

Bug 1422424 - error creating output file /var/lib/logrotate.status.tmp: Permission denied

Summary: error creating output file /var/lib/logrotate.status.tmp: Permission denied

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5-Alt
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1477664
TreeView+	depends on / blocked

Reported:	2017-02-15 10:21 UTC by Karl Latiss
Modified:	2018-10-30 10:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:00:04 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	None	None	None	2018-10-30 10:01:02 UTC

Description Karl Latiss 2017-02-15 10:21:10 UTC

Description of problem:
logrotate fails to to run with selinux set to enforcing, /etc/cron.daily/logrotate moved to /etc/cron.hourly/logrotate and CIS hardening applied

Note that moving logrotate from daily to hourly is likely irrelevant but mentioned for completeness.

Version-Release number of selected component (if applicable):

$ rpm -qa | egrep '(selinux|logrotate)'
selinux-policy-3.13.1-102.el7_3.13.noarch
libselinux-utils-2.5-6.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
libselinux-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
logrotate-3.8.6-12.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Apply CIS hardening rules (specifically around /etc/cron.* directory permissions)
2. Move /etc/cron.daily/logrotate to /etc/cron.hourly/logrotate (bonus step - unlikely to be an issue)
3. Wait for cron to run on the hour

Actual results:

/etc/cron.hourly/logrotate:

error: error creating output file /var/lib/logrotate.status.tmp: Permission denied

Expected results:

No output.

Additional info:

On a clean install:

$ sudo semanage fcontext -l | grep -i logrotate
/etc/cron\.(daily|weekly)/sysklogd                 regular file       system_u:object_r:logrotate_exec_t:s0 
/var/lib/logrotate(/.*)?                           all files          system_u:object_r:logrotate_var_lib_t:s0 
/var/lib/logrotate\.status.*                       regular file       system_u:object_r:logrotate_var_lib_t:s0 
/usr/sbin/logrotate                                regular file       system_u:object_r:logrotate_exec_t:s0 

$ sudo restorecon -vr /var/lib/logrotate.status
restorecon reset /var/lib/logrotate.status context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:logrotate_var_lib_t:s0

I'm not sure why but it looks like the right context was not applied at install.

For good measure I have also applied

$ sudo semanage fcontext -a -t logrotate_var_lib_t '/var/lib/logrotate\.status\.*'

These changes have fixed the error for me.

See also
https://bugzilla.redhat.com/show_bug.cgi?id=1127415
https://bugzilla.redhat.com/show_bug.cgi?id=1228531

Comment 1 Milos Malik 2017-02-15 10:52:00 UTC

Could you collect SELinux denials, which appear as a result of "error: error creating output file /var/lib/logrotate.status.tmp: Permission denied", and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.

Comment 3 Karl Latiss 2017-02-15 22:49:15 UTC

$ sudo ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 00:01:01.563:7150) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 00:01:01.563:7150) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 00:01:01.563:7150) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 00:01:01.563:7150) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xa28310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=15855 pid=15857 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=40 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 00:01:01.563:7150) : avc:  denied  { create } for  pid=15857 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 01:01:01.665:7210) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 01:01:01.665:7210) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 01:01:01.665:7210) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 01:01:01.665:7210) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1ae7310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16087 pid=16089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=42 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 01:01:01.665:7210) : avc:  denied  { create } for  pid=16089 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 02:01:01.768:7513) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 02:01:01.768:7513) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 02:01:01.768:7513) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 02:01:01.768:7513) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1474310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16567 pid=16569 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=46 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 02:01:01.768:7513) : avc:  denied  { create } for  pid=16569 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:01:01.856:7535) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:01:01.856:7535) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 03:01:01.856:7535) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 03:01:01.856:7535) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x103d310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16749 pid=16751 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=47 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:01:01.856:7535) : avc:  denied  { create } for  pid=16751 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:32:01.863:7544) : item=0 name=/etc/cron.daily/man-db.cron objtype=UNKNOWN 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 03:32:01.863:7544) :  cwd=/ 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 03:32:01.863:7544) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x24cf160 a1=O_RDONLY a2=0x6e6f72 a3=0x3 items=1 ppid=16838 pid=16848 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=47 comm=man-db.cron exe=/usr/bin/bash subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:32:01.863:7544) : avc:  denied  { dac_read_search } for  pid=16848 comm=man-db.cron capability=dac_read_search  scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tclass=capability 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:32:01.863:7544) : avc:  denied  { dac_override } for  pid=16848 comm=man-db.cron capability=dac_override  scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tclass=capability 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 04:01:01.941:7556) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 04:01:01.941:7556) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 04:01:01.941:7556) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 04:01:01.941:7556) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xb21310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16957 pid=16959 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=48 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 04:01:01.941:7556) : avc:  denied  { create } for  pid=16959 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 05:01:02.028:7574) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 05:01:02.028:7574) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 05:01:02.028:7574) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 05:01:02.028:7574) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x17cc310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17156 pid=17158 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=49 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 05:01:02.028:7574) : avc:  denied  { create } for  pid=17158 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 06:01:01.113:7592) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 06:01:01.113:7592) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 06:01:01.113:7592) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 06:01:01.113:7592) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x12d0310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17331 pid=17333 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=50 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 06:01:01.113:7592) : avc:  denied  { create } for  pid=17333 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 07:01:01.198:7612) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 07:01:01.198:7612) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 07:01:01.198:7612) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 07:01:01.198:7612) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x25e2310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17509 pid=17511 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=51 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 07:01:01.198:7612) : avc:  denied  { create } for  pid=17511 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 08:01:01.284:7630) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 08:01:01.284:7630) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 08:01:01.284:7630) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 08:01:01.284:7630) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1f00310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17708 pid=17710 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=52 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 08:01:01.284:7630) : avc:  denied  { create } for  pid=17710 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 09:01:01.365:7650) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 09:01:01.365:7650) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 09:01:01.365:7650) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 09:01:01.365:7650) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x20b5310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17886 pid=17888 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=53 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 09:01:01.365:7650) : avc:  denied  { create } for  pid=17888 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=USER_AVC msg=audit(15/02/17 09:45:55.665:12241) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 10:01:01.454:12247) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 10:01:01.454:12247) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 10:01:01.454:12247) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 10:01:01.454:12247) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xb88310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=18107 pid=18109 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=55 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 10:01:01.454:12247) : avc:  denied  { create } for  pid=18109 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

Comment 4 Milos Malik 2017-02-22 09:20:18 UTC

Could you paste here the output of following 2 commands executed on your machine?

# sesearch -s logrotate_t -t var_lib_t -T
Found 1 semantic te rules:
   type_transition logrotate_t var_lib_t : file logrotate_var_lib_t; 

# sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C
Found 1 semantic av rules:
   allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

#

The sesearch tool comes from setools-console package.

Comment 5 Michael Mol 2017-03-09 15:11:13 UTC

I have similar symptoms on a slightly older version of CentOS 7.

I have systems that work fine (, and systems that don't. The systems that don't work fine, I had selectively run "yum update logrotate" on them.

I started getting "error: error creating state file /var/lib/logrotate/logrotate.status: Permission denied" errors in my emails.

Checking SELinux, I found "type=AVC msg=audit(1488962942.318:4517026): avc:  denied  { write } for  pid=14985 comm="logrotate" 
name="logrotate.status" dev="vda2" ino=349 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:var_lib_t:s0 tclass=file"


SELinux context on a system where it works:

<pre>-rw-r--r--. root root system_u:object_r:logrotate_var_lib_t:s0 /var/lib/logrotate/logrotate.status</pre>


SELinux context on a system where it does not:

<pre>-rw-r--r--. root root system_u:object_r:var_lib_t:s0   /var/lib/logrotate/logrotate.status</pre>

Googling for similar issues, I found reports that removing the file may fix the issue, but it did not (at least for me). Reinstalling the package also did not help. I did discover that the parent directory to the logrotate.status file has the same context as the file itself, so I suspect the file is inheriting the parent directory's context upon creation. I've now removed the parent directory on the affected hosts and am attempting a reinstall, to see if the context changes.


Per the sesearch needinfo, here is my output:

<pre># sesearch -s logrotate_t -t var_lib_t -T
Found 1 semantic te rules:
   type_transition logrotate_t var_lib_t : file logrotate_var_lib_t;


# sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C
Found 1 semantic av rules:
   allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;</pre>

Comment 6 Michael Mol 2017-03-09 15:21:15 UTC

Ignore my comment. updating selinux-policy resolved my issue.

Comment 7 Karl Latiss 2017-04-06 09:37:35 UTC

Apologies for the delay.

$ sudo sesearch -s logrotate_t -t var_lib_t -T
Found 1 semantic te rules:
   type_transition logrotate_t var_lib_t : file logrotate_var_lib_t; 

$ sudo sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C
Found 1 semantic av rules:
   allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;

Comment 9 Karl Latiss 2017-04-18 05:02:47 UTC

It seems that this is not a bug after all. The issue related to a logrotate cron configuration script incorrectly deployed via configuration management. It was using an older (RHEL 6) config entry.

Comment 10 André Bauer 2017-06-06 07:38:43 UTC

So how to fix it?

semanage fcontext -a -t logrotate_var_lib_t /var/lib/logrotate.status.tmp
restorecon /var/lib/logrotate.status.tmp

Gives me:

restorecon:  lstat(/var/lib/logrotate.status.tmp) failed:  No such file or directory

Comment 14 errata-xmlrpc 2018-10-30 10:00:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.