commit 9357aa4761c78b19a0ddd47816cba7fb92b4891d
Author: Alex Wood <awood>
Date:   Mon Jul 24 16:23:53 2017 -0400

    1473349: Fix SELinux error when logrotate runs on candlepin logs

Is there an selinux boolean or file context we could set as a workaround?

You could change the file context back to var_log_t I think.

Alex can we not just make the change in commit 1655 to /usr/share/doc/candlepin-selinux-0.9.54.24/candlepin.te and then run /usr/share/doc/candlepin-selinux-0.9.54.24/candlepin.sh --update?  Would that work?

Yes, that would update the policy with the denials found in the audit log and then you could install the new policy module.

the candlepin.sh requires /usr/share/selinux/devel/Makefile which is not on a satellite. not sure I should install selinux-policy-devel on a satellite.

I the KB it is written RHEL7.4, but it also applies to RHEL7.3 were we have seen the same issue.

I think the RHEKL7.3 shall be added.
Because based on the current KB makes me as a customer think i if i stay on RHEL7.3 then i do not have the problem.

So I have no issue when I run this as root and force log rotation..
  # /usr/sbin/logrotate -f /etc/logrotate.d/candlepin

But the nightly /etc/cron.daily/logrotate generates the error, which results in e-mail to root user (which for many enterprise environments results in admin notification)

Also confirmed today that this happens on fresh OS & satellite 6.2 install...
# aureport -a
<snip>
20. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 841
21. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 842
22. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 843
23. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 844
24. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 845
25. 08/17/2017 14:21:14 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 846


What are exact steps we can provide customer's to correct this?

Able to reproduce it...

Hack logrotate so doesn't know did candlepin already
~~~
# cp -ap /var/lib/logrotate/logrotate.status /var/lib/logrotate/logrotate.status.save
# grep -v /var/log/candlepin/ /var/lib/logrotate/logrotate.status.save > /var/lib/logrotate/logrotate.status
~~~

Now remove cron.daily, so it runs next check
~~~
# rm /var/spool/anacron/cron.daily
~~~


Wait for anacron to run it for us at top of hour...
~~~
# tail -f /var/log/cron
Aug 17 17:01:01 sat6 anacron[22714]: Will run job `cron.daily' in 7 min.
Aug 17 17:08:17 sat6 run-parts(/etc/cron.daily)[23163]: starting logrotate
Aug 17 17:08:17 sat6 run-parts(/etc/cron.daily)[23380]: finished logrotate

# aureport -a
27. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 643
28. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 644
29. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 645
30. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 646
31. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 647
32. 08/17/2017 17:08:17 logrotate system_u:system_r:logrotate_t:s0-s0:c0.c1023 6 file getattr system_u:object_r:candlepin_var_log_t:s0 denied 648
~~~

Additional (superfluous?) datapoint.

RHEL7.4 fully updated as of 2017-10-06
Satellite 6.2.12 fully updated as of same date

Seems I can't even fix this manually:

# grep logrotate /var/log/audit/audit.log | audit2why
[...]
type=AVC msg=audit(1507255941.668:4582): avc:  denied  { getattr } for  pid=64893 comm="logrotate" path="/var/log/candlepin/error.log" dev="dm-2" ino=402770458 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
[...]
# audit2allow -a -M logrotate_t
# semodule -i logrotate_t.pp
# chcon -R -t logrotate_t /var/log/candlepin/*.log
chcon: failed to change context of '/var/log/candlepin/audit.log' to 'system_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/candlepin.log' to 'system_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/cpdb.log' to 'unconfined_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/cpinit.log' to 'unconfined_u:object_r:logrotate_t:s0': Permission denied
chcon: failed to change context of '/var/log/candlepin/error.log' to 'system_u:object_r:logrotate_t:s0': Permission denied

Any chance this can make it into 6.2.12 as a hotfix?

Additionally, I'm also getting this email every morning:

/etc/cron.daily/logrotate:

error: error renaming /var/log/candlepin/audit.log.52.gz to /var/log/candlepin/audit.log.53.gz: Permission denied
error: error renaming /var/log/candlepin/candlepin.log.52.gz to /var/log/candlepin/candlepin.log.53.gz: Permission denied
error: error renaming /var/log/candlepin/error.log.52.gz to /var/log/candlepin/error.log.53.gz: Permission denied

*** WORKAROUND until released in 6.2.Z ***

1) edit policy

~~~
# yum install selinux-policy-devel

# cd /usr/share/doc/candlepin-selinux-0.9.54.23/
# cp -p candlepin.pp candlepin.pp.orig #if not present, no worries
# sed -ie 's/^files_type\((candlepin_var_log_t)\)$/logging_log_file\1/' candlepin.te 
# grep '(candlepin_var_log_t)' candlepin.te
# make NAME=targeted -f /usr/share/selinux/devel/Makefile

# semodule -i candlepin.pp
~~~


2) verify resolution

~~~
# tail -n0 -f /var/log/cron
Aug 18 09:01:01 sat6 run-parts(/etc/cron.hourly)[9988]: starting 0anacron
Aug 18 09:01:01 sat6 anacron[9997]: Will run job `cron.daily' in 5 min.
Aug 18 09:06:13 sat6 run-parts(/etc/cron.daily)[10379]: starting logrotate
Aug 18 09:06:13 sat6 run-parts(/etc/cron.daily)[10529]: finished logrotate

# aureport -a -ts 08/18/2017 09:00:00
AVC Report
<no events of interest were found>
~~~

Selected output from doing the above:

# cp -p candlepin.pp candlepin.pp.orig 
cp: cannot stat ‘candlepin.pp’: No such file or directory
(no worries)

# cp candlepin.te candlepin.te.orig
(because I'm paranoid)

# sed -ie 's/^files_type\((candlepin_var_log_t)\)$/logging_log_file\1/' candlepin.te
(no errors)

# diff candlepin.te candlepin.te.orig
30c30
< logging_log_file(candlepin_var_log_t)
---
> files_type(candlepin_var_log_t)

# grep '(candlepin_var_log_t)' candlepin.te
logging_log_file(candlepin_var_log_t)
(duh!)

# make NAME=targeted -f /usr/share/selinux/devel/Makefile
Compiling targeted candlepin module
/usr/bin/checkmodule:  loading policy configuration from tmp/candlepin.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/candlepin.mod
Creating targeted candlepin.pp policy package
rm tmp/candlepin.mod.fc tmp/candlepin.mod

# semodule -i candlepin.pp
(no errors)


I'll let you know how it goes tomorrow morning when the logrotate runs again.  Thanks again!

*** Bug 1520357 has been marked as a duplicate of this bug. ***

*** Bug 1520499 has been marked as a duplicate of this bug. ***