1705083 – logrotate cannot access /var/log/boot.log

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1705083 - logrotate cannot access /var/log/boot.log

Summary: logrotate cannot access /var/log/boot.log

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	plymouth
Sub Component:
Version:	7.6
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ray Strode [halfline]
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-01 12:37 UTC by Tomasz Kepczynski
Modified:	2023-12-15 16:28 UTC (History)
CC List:	11 users (show)
Fixed In Version:	plymouth-0.8.9-0.34.20140113.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-29 20:34:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4012	0	None	None	None	2020-09-29 20:34:43 UTC

Description Tomasz Kepczynski 2019-05-01 12:37:06 UTC

Description of problem:
After reapplying selinux-policy-targeted with:

# touch /.autorelabel

and rebooting (twice, one manual, one automatic) I am getting the following email notifcation:

/etc/cron.daily/logrotate:

error: stat of /var/log/boot.log failed: Brak dostępu

("Brak dostępu" means "permission denied" in Polish)

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-229.el7_6.12
plymouth-0.8.9-0.31.20140113.el7

How reproducible:

Always

Additional info:

/var/log/boot.log is hardlinked to /var/spool/plymouth/boot.log and the policy specifies different file types for these two locations which obviously breaks at some point:

triss:~# restorecon -rv /var/log/
restorecon reset /var/log/boot.log context system_u:object_r:plymouthd_spool_t:s0->system_u:object_r:plymouthd_var_log_t:s0
triss:~# restorecon -rv /var/spool/plymouth/
restorecon reset /var/spool/plymouth/boot.log context system_u:object_r:plymouthd_var_log_t:s0->system_u:object_r:plymouthd_spool_t:s0

Either the file is incorrectly hardlinked (which is likely plymouthd issue) or the policy is incorrect (which is selinux-policy-targeted issue).

Comment 2 Milos Malik 2019-05-02 10:59:57 UTC

Here is the SELinux denial which appears when logrotate tries to rotate the /var/log/boot.log file and the log file is labeled with plymouthd_spool_t:
----
type=PROCTITLE msg=audit(05/02/2019 12:45:01.589:314) : proctitle=/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf 
type=PATH msg=audit(05/02/2019 12:45:01.589:314) : item=0 name=/var/log/boot.log inode=16797764 dev=fd:02 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:plymouthd_spool_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/02/2019 12:45:01.589:314) :  cwd=/etc/logrotate.d 
type=SYSCALL msg=audit(05/02/2019 12:45:01.589:314) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x1804e70 a1=0x7ffd8524bb20 a2=0x7ffd8524bb20 a3=0x2 items=1 ppid=17217 pid=17219 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=8 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/02/2019 12:45:01.589:314) : avc:  denied  { getattr } for  pid=17219 comm=logrotate path=/var/log/boot.log dev="vda2" ino=16797764 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouthd_spool_t:s0 tclass=file permissive=0 
----

Comment 3 Milos Malik 2019-05-02 11:01:57 UTC

# rpm -qf /etc/logrotate.d/bootlog 
plymouth-0.8.9-0.32.20140113.el7.x86_64
# rpm -qa selinux-policy\* | sort
selinux-policy-3.13.1-245.el7.noarch
selinux-policy-devel-3.13.1-245.el7.noarch
selinux-policy-mls-3.13.1-245.el7.noarch
selinux-policy-sandbox-3.13.1-245.el7.noarch
selinux-policy-targeted-3.13.1-245.el7.noarch
#

One of the reproducers is:

# anacron -fsn
#

Comment 4 Zdenek Pytela 2019-08-22 16:04:54 UTC

SELinux context is stored in an extended attribute of a file, so it cannot be different for 2 different file paths. In policy, we have different context though:

# matchpathcon /var/log/boot.log /var/spool/plymouth/boot.log
/var/log/boot.log       system_u:object_r:plymouthd_var_log_t:s0
/var/spool/plymouth/boot.log    system_u:object_r:plymouthd_spool_t:s0

plymouth developers, would it be possible to avoid having such a hardlink?

Comment 5 Ray Strode [halfline] 2019-08-22 17:39:46 UTC

yea we dont' actually use that spool file anymore. we could just drop it.

Comment 20 Bill Sanford 2020-05-13 17:24:32 UTC

[root@kvm-02-guest11 ~]# ls -lZ /var/log/boot.log
-rw-------. root root system_u:object_r:plymouthd_var_log_t:s0 /var/log/boot.log

The /var/log/boot.log is no longer hardlinked to /var/spool/plymouth/boot.log

Comment 21 David Hernández Fernández 2020-09-23 12:35:30 UTC

Hey Ray, would you be so kind to let us know when the ERRATA is going to be released? I can see that it is being continuously delayed week by week, not sure if it is expected. I'm talking about RHBA-2020:54456-02. Thanks in advance.

Comment 22 Michael Boisvert 2020-09-23 12:58:21 UTC

(In reply to David Hernández Fernández from comment #21)
> Hey Ray, would you be so kind to let us know when the ERRATA is going to be
> released? I can see that it is being continuously delayed week by week, not
> sure if it is expected. I'm talking about RHBA-2020:54456-02. Thanks in
> advance.

David, unfortunately the GA keeps getting pushed back due to RC blocking issues. As of right now the GA is set for September 29th.

Comment 24 errata-xmlrpc 2020-09-29 20:34:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (plymouth bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4012

Note You need to log in before you can comment on or make changes to this bug.