This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1473349 - Logrotate cannot access candlepin logs
Logrotate cannot access candlepin logs
Status: POST
Product: Candlepin
Classification: Community
Component: candlepin (Show other bugs)
0.9.54
Unspecified Unspecified
urgent Severity high
: ---
: 2.1
Assigned To: candlepin-bugs
Katello QA List
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-20 10:53 EDT by Kevin Howell
Modified: 2017-10-18 04:29 EDT (History)
24 users (show)

See Also:
Fixed In Version: candlepin-0.9.54.25
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1473348
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3154401 None None None 2017-08-17 03:38 EDT

  None (edit)
Comment 1 Alex Wood 2017-07-25 15:14:24 EDT
commit 9357aa4761c78b19a0ddd47816cba7fb92b4891d
Author: Alex Wood <awood@redhat.com>
Date:   Mon Jul 24 16:23:53 2017 -0400

    1473349: Fix SELinux error when logrotate runs on candlepin logs
Comment 2 Chris Duryee 2017-08-04 10:29:26 EDT
Is there an selinux boolean or file context we could set as a workaround?
Comment 3 Alex Wood 2017-08-04 11:01:21 EDT
You could change the file context back to var_log_t I think.
Comment 4 Jason Dickerson 2017-08-04 11:09:43 EDT
Alex can we not just make the change in commit 1655 to /usr/share/doc/candlepin-selinux-0.9.54.24/candlepin.te and then run /usr/share/doc/candlepin-selinux-0.9.54.24/candlepin.sh --update?  Would that work?
Comment 5 Alex Wood 2017-08-04 11:27:59 EDT
Yes, that would update the policy with the denials found in the audit log and then you could install the new policy module.
Comment 6 Jason Dickerson 2017-08-04 11:38:12 EDT
the candlepin.sh requires /usr/share/selinux/devel/Makefile which is not on a satellite. not sure I should install selinux-policy-devel on a satellite.
Comment 9 Peter Vreman 2017-08-17 08:15:55 EDT
I the KB it is written RHEL7.4, but it also applies to RHEL7.3 were we have seen the same issue.
Comment 10 Peter Vreman 2017-08-17 08:17:04 EDT
I think the RHEKL7.3 shall be added.
Because based on the current KB makes me as a customer think i if i stay on RHEL7.3 then i do not have the problem.
Comment 12 James Hartsock 2017-08-17 16:59:08 EDT
So I have no issue when I run this as root and force log rotation..
  # /usr/sbin/logrotate -f /etc/logrotate.d/candlepin

But the nightly /etc/cron.daily/logrotate generates the error, which results in e-mail to root user (which for many enterprise environments results in admin notification)

Also confirmed today that this happens on fresh OS & satellite 6.2 install...
# aureport -a
<snip>
20. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 841
21. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 842
22. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 843
23. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 844
24. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 845
25. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 846


What are exact steps we can provide customer's to correct this?
Comment 13 James Hartsock 2017-08-17 19:20:11 EDT
Able to reproduce it...

Hack logrotate so doesn't know did candlepin already
~~~
# cp -ap /var/lib/logrotate/logrotate.status /var/lib/logrotate/logrotate.status.save
# grep -v /var/log/candlepin/ /var/lib/logrotate/logrotate.status.save > /var/lib/logrotate/logrotate.status
~~~

Now remove cron.daily, so it runs next check
~~~
# rm /var/spool/anacron/cron.daily
~~~


Wait for anacron to run it for us at top of hour...
~~~
# tail -f /var/log/cron
Aug 17 17:01:01 sat6 anacron[22714]: Will run job `cron.daily' in 7 min.
Aug 17 17:08:17 sat6 run-parts(/etc/cron.daily)[23163]: starting logrotate
Aug 17 17:08:17 sat6 run-parts(/etc/cron.daily)[23380]: finished logrotate

# aureport -a
27. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 643
28. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 644
29. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 645
30. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 646
31. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 647
32. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 648
~~~
Comment 19 Ben 2017-10-06 06:16:17 EDT
Additional (superfluous?) datapoint.

RHEL7.4 fully updated as of 2017-10-06
Satellite 6.2.12 fully updated as of same date

Seems I can't even fix this manually:

# grep logrotate /var/log/audit/audit.log | audit2why
[...]
type=AVC msg=audit(1507255941.668:4582): avc:  denied  { getattr } for  pid=64893 comm="logrotate" path="/var/log/candlepin/error.log" dev="dm-2" ino=402770458 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
[...]
# audit2allow -a -M logrotate_t
# semodule -i logrotate_t.pp
# chcon -R -t logrotate_t /var/log/candlepin/*.log
chcon: failed to change context of '/var/log/candlepin/audit.log' to 'system_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/candlepin.log' to 'system_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/cpdb.log' to 'unconfined_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/cpinit.log' to 'unconfined_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/error.log' to 'system_u:object_r:logrotate_t:s0': Permission denied

Any chance this can make it into 6.2.12 as a hotfix?
Comment 23 Ben 2017-10-18 04:27:26 EDT
Additionally, I'm also getting this email every morning:

/etc/cron.daily/logrotate:

error: error renaming /var/log/candlepin/audit.log.52.gz to /var/log/candlepin/audit.log.53.gz: Permission denied
error: error renaming /var/log/candlepin/candlepin.log.52.gz to /var/log/candlepin/candlepin.log.53.gz: Permission denied
error: error renaming /var/log/candlepin/error.log.52.gz to /var/log/candlepin/error.log.53.gz: Permission denied

Note You need to log in before you can comment on or make changes to this bug.