1422424 – error creating output file /var/lib/logrotate.status.tmp: Permission denied

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1422424 - error creating output file /var/lib/logrotate.status.tmp: Permission denied

Summary: error creating output file /var/lib/logrotate.status.tmp: Permission denied

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5-Alt
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1477664
TreeView+	depends on / blocked

Reported:	2017-02-15 10:21 UTC by Karl Latiss
Modified:	2021-03-11 14:58 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:00:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:01:02 UTC

Description Karl Latiss 2017-02-15 10:21:10 UTC

Description of problem:
logrotate fails to to run with selinux set to enforcing, /etc/cron.daily/logrotate moved to /etc/cron.hourly/logrotate and CIS hardening applied

Note that moving logrotate from daily to hourly is likely irrelevant but mentioned for completeness.

Version-Release number of selected component (if applicable):

$ rpm -qa | egrep '(selinux|logrotate)'
selinux-policy-3.13.1-102.el7_3.13.noarch
libselinux-utils-2.5-6.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
libselinux-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
logrotate-3.8.6-12.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Apply CIS hardening rules (specifically around /etc/cron.* directory permissions)
2. Move /etc/cron.daily/logrotate to /etc/cron.hourly/logrotate (bonus step - unlikely to be an issue)
3. Wait for cron to run on the hour

Actual results:

/etc/cron.hourly/logrotate:

error: error creating output file /var/lib/logrotate.status.tmp: Permission denied

Expected results:

No output.

Additional info:

On a clean install:

$ sudo semanage fcontext -l | grep -i logrotate
/etc/cron\.(daily|weekly)/sysklogd                 regular file       system_u:object_r:logrotate_exec_t:s0 
/var/lib/logrotate(/.*)?                           all files          system_u:object_r:logrotate_var_lib_t:s0 
/var/lib/logrotate\.status.*                       regular file       system_u:object_r:logrotate_var_lib_t:s0 
/usr/sbin/logrotate                                regular file       system_u:object_r:logrotate_exec_t:s0 

$ sudo restorecon -vr /var/lib/logrotate.status
restorecon reset /var/lib/logrotate.status context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:logrotate_var_lib_t:s0

I'm not sure why but it looks like the right context was not applied at install.

For good measure I have also applied

$ sudo semanage fcontext -a -t logrotate_var_lib_t '/var/lib/logrotate\.status\.*'

These changes have fixed the error for me.

See also
https://bugzilla.redhat.com/show_bug.cgi?id=1127415
https://bugzilla.redhat.com/show_bug.cgi?id=1228531

Comment 1 Milos Malik 2017-02-15 10:52:00 UTC

Could you collect SELinux denials, which appear as a result of "error: error creating output file /var/lib/logrotate.status.tmp: Permission denied", and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.

Comment 3 Karl Latiss 2017-02-15 22:49:15 UTC

$ sudo ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 00:01:01.563:7150) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 00:01:01.563:7150) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 00:01:01.563:7150) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 00:01:01.563:7150) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xa28310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=15855 pid=15857 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=40 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 00:01:01.563:7150) : avc:  denied  { create } for  pid=15857 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 01:01:01.665:7210) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 01:01:01.665:7210) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 01:01:01.665:7210) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 01:01:01.665:7210) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1ae7310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16087 pid=16089 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=42 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 01:01:01.665:7210) : avc:  denied  { create } for  pid=16089 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 02:01:01.768:7513) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 02:01:01.768:7513) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 02:01:01.768:7513) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 02:01:01.768:7513) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1474310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16567 pid=16569 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=46 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 02:01:01.768:7513) : avc:  denied  { create } for  pid=16569 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:01:01.856:7535) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:01:01.856:7535) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 03:01:01.856:7535) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 03:01:01.856:7535) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x103d310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16749 pid=16751 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=47 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:01:01.856:7535) : avc:  denied  { create } for  pid=16751 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 03:32:01.863:7544) : item=0 name=/etc/cron.daily/man-db.cron objtype=UNKNOWN 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 03:32:01.863:7544) :  cwd=/ 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 03:32:01.863:7544) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x24cf160 a1=O_RDONLY a2=0x6e6f72 a3=0x3 items=1 ppid=16838 pid=16848 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=47 comm=man-db.cron exe=/usr/bin/bash subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:32:01.863:7544) : avc:  denied  { dac_read_search } for  pid=16848 comm=man-db.cron capability=dac_read_search  scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tclass=capability 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 03:32:01.863:7544) : avc:  denied  { dac_override } for  pid=16848 comm=man-db.cron capability=dac_override  scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tclass=capability 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 04:01:01.941:7556) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 04:01:01.941:7556) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 04:01:01.941:7556) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 04:01:01.941:7556) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xb21310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=16957 pid=16959 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=48 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 04:01:01.941:7556) : avc:  denied  { create } for  pid=16959 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 05:01:02.028:7574) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 05:01:02.028:7574) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 05:01:02.028:7574) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 05:01:02.028:7574) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x17cc310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17156 pid=17158 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=49 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 05:01:02.028:7574) : avc:  denied  { create } for  pid=17158 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 06:01:01.113:7592) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 06:01:01.113:7592) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 06:01:01.113:7592) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 06:01:01.113:7592) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x12d0310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17331 pid=17333 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=50 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 06:01:01.113:7592) : avc:  denied  { create } for  pid=17333 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 07:01:01.198:7612) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 07:01:01.198:7612) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 07:01:01.198:7612) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 07:01:01.198:7612) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x25e2310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17509 pid=17511 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=51 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 07:01:01.198:7612) : avc:  denied  { create } for  pid=17511 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 08:01:01.284:7630) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 08:01:01.284:7630) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 08:01:01.284:7630) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 08:01:01.284:7630) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1f00310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17708 pid=17710 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=52 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 08:01:01.284:7630) : avc:  denied  { create } for  pid=17710 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 09:01:01.365:7650) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 09:01:01.365:7650) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 09:01:01.365:7650) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 09:01:01.365:7650) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x20b5310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=17886 pid=17888 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=53 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 09:01:01.365:7650) : avc:  denied  { create } for  pid=17888 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=USER_AVC msg=audit(15/02/17 09:45:55.665:12241) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 10:01:01.454:12247) : item=1 name=/var/lib/logrotate.status.tmp objtype=CREATE 
node=ip-172-31-19-13.eu-west-1.compute.internal type=PATH msg=audit(15/02/17 10:01:01.454:12247) : item=0 name=/var/lib/ inode=137 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT 
node=ip-172-31-19-13.eu-west-1.compute.internal type=CWD msg=audit(15/02/17 10:01:01.454:12247) :  cwd=/root 
node=ip-172-31-19-13.eu-west-1.compute.internal type=SYSCALL msg=audit(15/02/17 10:01:01.454:12247) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xb88310 a1=O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a2=0600 a3=0xe items=2 ppid=18107 pid=18109 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=55 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
node=ip-172-31-19-13.eu-west-1.compute.internal type=AVC msg=audit(15/02/17 10:01:01.454:12247) : avc:  denied  { create } for  pid=18109 comm=logrotate name=logrotate.status.tmp scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

Comment 4 Milos Malik 2017-02-22 09:20:18 UTC

Could you paste here the output of following 2 commands executed on your machine?

# sesearch -s logrotate_t -t var_lib_t -T
Found 1 semantic te rules:
   type_transition logrotate_t var_lib_t : file logrotate_var_lib_t; 

# sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C
Found 1 semantic av rules:
   allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

#

The sesearch tool comes from setools-console package.

Comment 5 Michael Mol 2017-03-09 15:11:13 UTC

I have similar symptoms on a slightly older version of CentOS 7.

I have systems that work fine (, and systems that don't. The systems that don't work fine, I had selectively run "yum update logrotate" on them.

I started getting "error: error creating state file /var/lib/logrotate/logrotate.status: Permission denied" errors in my emails.

Checking SELinux, I found "type=AVC msg=audit(1488962942.318:4517026): avc:  denied  { write } for  pid=14985 comm="logrotate" 
name="logrotate.status" dev="vda2" ino=349 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:var_lib_t:s0 tclass=file"


SELinux context on a system where it works:

<pre>-rw-r--r--. root root system_u:object_r:logrotate_var_lib_t:s0 /var/lib/logrotate/logrotate.status</pre>


SELinux context on a system where it does not:

<pre>-rw-r--r--. root root system_u:object_r:var_lib_t:s0   /var/lib/logrotate/logrotate.status</pre>

Googling for similar issues, I found reports that removing the file may fix the issue, but it did not (at least for me). Reinstalling the package also did not help. I did discover that the parent directory to the logrotate.status file has the same context as the file itself, so I suspect the file is inheriting the parent directory's context upon creation. I've now removed the parent directory on the affected hosts and am attempting a reinstall, to see if the context changes.


Per the sesearch needinfo, here is my output:

<pre># sesearch -s logrotate_t -t var_lib_t -T
Found 1 semantic te rules:
   type_transition logrotate_t var_lib_t : file logrotate_var_lib_t;


# sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C
Found 1 semantic av rules:
   allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;</pre>

Comment 6 Michael Mol 2017-03-09 15:21:15 UTC

Ignore my comment. updating selinux-policy resolved my issue.

Comment 7 Karl Latiss 2017-04-06 09:37:35 UTC

Apologies for the delay.

$ sudo sesearch -s logrotate_t -t var_lib_t -T
Found 1 semantic te rules:
   type_transition logrotate_t var_lib_t : file logrotate_var_lib_t; 

$ sudo sesearch -s logrotate_t -t logrotate_var_lib_t -c file -p create -A -C
Found 1 semantic av rules:
   allow logrotate_t logrotate_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;

Comment 9 Karl Latiss 2017-04-18 05:02:47 UTC

It seems that this is not a bug after all. The issue related to a logrotate cron configuration script incorrectly deployed via configuration management. It was using an older (RHEL 6) config entry.

Comment 10 André Bauer 2017-06-06 07:38:43 UTC

So how to fix it?

semanage fcontext -a -t logrotate_var_lib_t /var/lib/logrotate.status.tmp
restorecon /var/lib/logrotate.status.tmp

Gives me:

restorecon:  lstat(/var/lib/logrotate.status.tmp) failed:  No such file or directory

Comment 14 errata-xmlrpc 2018-10-30 10:00:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.