When the sssd-common package introduced a change to the permissions of the log files in /var/log/sssd/, this was added to the RPM %postinstall scriptlet: /usr/bin/chown -f sssd:sssd /var/log/sssd/*.log || true (Ref: https://src.fedoraproject.org/rpms/sssd/blob/f42/f/sssd.spec#_1119 ) However, there is also a logrotate configuration in sssd-common that rotates and compresses the log files /var/log/sssd/*.log, and it also has "su sssd sssd" in the configuration. (Ref: https://github.com/SSSD/sssd/blob/master/src/examples/logrotate.in) If sssd had been running before the transition to using sssd user/groups for log file ownership, there were several root:root owned files that had been rotated earlier. However, logrotate can no longer rotate them because their permissions were restricted to root and logrotate is running as sssd:sssd. You'll get an error that looks like: logrotate[61244]: error: unable to open /var/log/sssd/sssd_pam.log-20250511 (read-only) for compression: Permission denied This causes the logrotate.service to error out immediately, rather than continuing to rotate log files. I think the glob in the rpm %post install scriptlet should be changed to /var/log/sssd/*.log* to address this. Reproducible: Always
It looks like fixing the sssd.service could also fix this. It currently has: ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" (Ref: https://github.com/SSSD/sssd/blob/master/src/sysv/systemd/sssd.service.in#L22 )
Upstream PR: https://github.com/SSSD/sssd/pull/8025
Pushed PR: https://github.com/SSSD/sssd/pull/8025 * `master` * d8ac442973e3304c951d42126eea6248b7dc8d2a - spec: don't dereference links while chown-ing in %post * 7e8b62e0a98b7dba1b11798da73992bb5478da35 - Make sure previously rotated logs are chown-ed as well. * `sssd-2-11` * 30f03098a4c88d30a12ecbe6c1f4af6d73193436 - spec: don't dereference links while chown-ing in %post * f51065918e95ac98b28fbc3392c2f7838a629836 - Make sure previously rotated logs are chown-ed as well.