Description of problem: I started getting this message from logrotate: touch: cannot touch `/var/run/boinc_was_running': Permission denied Which is not surprising as /var/run is drwxr-xr-x 35 root root and boinc-client runs (as it should) as user 'boinc' Version-Release number of selected component (if applicable): logrotate-3.7.7-1.fc10.x86_64 boinc-client-6.4.7-10.r17542svn.fc10.x86_64 How reproducible: happens each logrotate run Steps to Reproduce: 1. have boinc-client installed 2. /etc/sysconfig/boinc-client left as shipped in the rpm 3. wait for next rotation of logs Actual results: touch: cannot touch `/var/run/boinc_was_running': Permission denied Expected results: log rotation working Additional info: it's probably easiest if we move the boinc_was_running file to boinc's working directory or a subdirectory of it (/var/lib/boinc/var/run/boinc_was_running maybe?) and adjust /etc/sysconfig/boinc-client
Blah...thanks for report, will fix this asap.
Well...I have now read your description carefully and became somewhat confused: First of all, boinc-client is running under the boinc account, but this doesn't matter, the logs are rotated by the logrotate daemon which operates under the root account (it is started by cron). Moreover, this has nothing to do with the sysconfig file, but with the logrotate configuration (/etc/logrotate.d/boinc-client). I also cannot reproduce this in any way -- where do you get those error messages? When you force logrotate directly (logrotate -f)? Could you please post the full output of `logrotate -f /etc/logrotate.conf` (Note that this will rotate *all* your logs).
(In reply to comment #2) > Moreover, this has nothing to do with the sysconfig file, but with the > logrotate configuration (/etc/logrotate.d/boinc-client). true. Albeit that file is also not modified (just verified with rpm -V) > I also cannot reproduce this in any way my bad, should have looked closer before posting, while it seemed in my recollection to happen on each run, it only happens on some of the logrotate runs, I am not yet sure what is different in the failing runs. FWIW: I get this on three machines (F10 i386, F10 x86_64 and rawhide x86_64) >-- where do you get those error messages? in cron's and anacron's emails > When you force logrotate directly (logrotate -f)? Could you please > post the full output of `logrotate -f /etc/logrotate.conf` (Note that this will > rotate *all* your logs). No output at all. Tried rotating logs in the following scenarios - boinc running - boinc stopped cleanly - all boinc processes kill -9'ed still, all forced log rotations went through without complaints.
Created attachment 343260 [details] Output from setroubleshoot I have just experienced the same issue on Rawhide, but did not have it on Fedora 10. The problem seems to be coming from SELinux. The summary from setroubleshoot is "SELinux is preventing touch (logrotate_t) "write" to run (var_run_t)." I've included the complete text as an attachment. I don't have much experience with SELinux and have not tried using the restorecon command to fix the file context. We may need to file a bug report against the selinux-policy package.
As Patrick mentioned changing the location of the boinc_was_running file is probably the easiest solution. Rather than go through SELinux policy I changed all references of /var/run/boinc_was_running to /tmp/boinc_was_running in /etc/logrotate.d/boinc-client. I've tested this solution and it resolves the error. Logs were rotating, but boinc-client would stop during prerotate and never restart since the boinc_was_running file did not get created. The /var/run directory is meant more for pid files and information on running processes anyway. I felt that /tmp is the right spot for this since this file is very temporary in nature and simply acts as a trigger to stop and start boinc-client during log rotation. In my opinion /var/lib/boinc is meant to hold application data for boinc-client. While logrotate does stop and start boinc-client, the process really is separate from anything being done in the boinc working directory.
Patrick, William: sorry for the delay and thank you for your information. The proposed solution (moving to /tmp) sounds like a good plan to me (definitely it is much better than changing/providing SELinux policy, there have been already some troubles with SELinux & boinc). I'll modify the package accordingly, probably together with updating to the 6.6 branch.
I agree that changing SELinux policy for this is overkill. I would suggest putting the file into boinc's work directory though (/var/lib/boinc/), final decision is up to you. Please tell when a package is available in updates-testing, I'll install it and let it run for a week or two
Unfortunately, this would bring us to the same problem, just instead of "var_run_t" it would be "var_lib_t" -- this was the former SELinux issue, the log files were previously in /var/lib/boinc.
true, /facepalm to /tmp it goes then
Milos, will the F10 and F11 packages be updated with a fix?
Definitely yes...hopefully even today I'll get to it.
boinc-client-6.6.37-2.r18632svn.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/boinc-client-6.6.37-2.r18632svn.fc11
installed 6.6.37-2.r18632svn.fc11 on 3 affected F11 boxes, will report back in about a week if logrotate went fine.
boinc-client-6.6.37-2.r18632svn.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update boinc-client'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7940
boinc-client-6.6.37-2.r18632svn.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/boinc-client-6.6.37-2.r18632svn.fc10
boinc-client-6.6.37-2.r18632svn.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update boinc-client'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-7973
boinc-client-6.6.37-2.r18632svn.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
boinc-client-6.6.37-2.r18632svn.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.