Bug 1426600 - /etc/logrotate.d/rabbitmq-server leads to "Password: su: Authentication failure" [NEEDINFO]
Summary: /etc/logrotate.d/rabbitmq-server leads to "Password: su: Authentication failure"
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: rabbitmq-server
Version: epel7
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1413775
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-24 12:30 UTC by Robert Scheck
Modified: 2020-01-30 12:52 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
redhat-bugzilla: needinfo? (lemenkov)


Attachments (Terms of Use)

Description Robert Scheck 2017-02-24 12:30:40 UTC
Description of problem:
/etc/logrotate.d/rabbitmq-server leads to the following logrotate failures:

--- snipp ---
Date: Fri, 24 Feb 2017 03:37:11 +0100 (CET)
From: Anacron <root@tux.example.net>
To: root@tux.example.net
Subject: Anacron job 'cron.daily' on tux.example.net
Message-Id: <20170224023711.2735E406C4@tux.example.net>

/etc/cron.daily/logrotate:

Password: su: Authentication failure
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
--- snapp ---

Version-Release number of selected component (if applicable):
rabbitmq-server-3.3.5-31.el7.noarch

How reproducible:
Everytime, just install rabbitmq-server on RHEL 7.3 with SELinux enforced.

Actual results:
/etc/logrotate.d/rabbitmq-server leads failure messages.

Expected results:
Working logrotate via /etc/logrotate.d/rabbitmq-server simply.

Comment 1 Gerald Vogt 2017-03-05 10:18:42 UTC
Same here. The problem is the su in the rabbitmqctl script. To reproduce you can set up a simple cron job:

/etc/cron.d/test:
* * * * * root /root/test.sh

/root/test.sh:
#! /bin/bash
    echo "id: `id`"
    echo "id -r -u: `id -r -u`"
    echo "id -r -g: `id -r -g`"
su rabbitmq -s /bin/sh -c "id"
---------

Set context of test.sh to system_u:object_r:logrotate_exec_t:s0.

Output of cronjob:
id: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:logrotate_t:s0-s0:c0.c1023
id -r -u: 0
id -r -g: 0
Password: su: Authentication information cannot be recovered
---------

audit.log contains:
type=USER_AVC msg=audit(1488708062.169:189724): pid=21967 uid=0 auid=0 ses=5787 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  denied  { passwd } for  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
---------

This happens even if a local policy has been added to allow it:
# audit2allow < /var/log/audit/audit.log


#============= logrotate_t ==============

#!!!! This avc is allowed in the current policy
allow logrotate_t self:passwd passwd;
---------

I have modified /etc/pam.d/su to enable debug output for rootok:
auth		sufficient	pam_rootok.so debug

and /var/log/secure also contains the following message then:
su: pam_rootok(su:auth): root check failed

If the test script is bin_t instead of logrotate_exec_t it works.

sudo instead of su also works.

Thus, either selinux needs to be adjusted or the rabbitmqctl script should use sudo instead of su to change from root to rabbitmq user.

Comment 2 Alex 2017-08-24 22:59:52 UTC
Hi Redhat

We also met the same problem.

CentOS Linux release 7.3.1611
Kernel 4.12.8-1.el7.elrepo.x86_64
Rabbitmq-server 3.6.9-1

E-mail from logrotate:
========================================================
To: "root@pm-mq-02" <root@pm-mq-02>
Subject: Anacron job 'cron.daily' on pm-mq-02

/etc/cron.daily/logrotate:

Password: su: Authentication failure
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
========================================================

Comment 3 Frank Büttner 2020-01-30 12:52:30 UTC
Hi,
are there any news about an new package, that will fix it?


Note You need to log in before you can comment on or make changes to this bug.