Description of problem: mysql logrotate unable to flush-logs because of missing selinux policy Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-75 mysql-server-5.5.20-1 logrotate-3.8.0-3 How reproducible: Whenever log rotate cron runs Steps to Reproduce: 1. Install mysqld 2. Create /root/.my.cnf with login details for mysqladmin (user & password entries) 3. Install logrotate 4. Enable cron 5. Enable selinux Actual results: logrotate fails in mysqld script with 'mysqladmin ping': mysqladmin: connect to server at 'localhost' failed Expected results: logrotate for mysqld succeeds, and 'mysqladmin flush-logs' runs and new entries go to new log files Additional info: /root/.my.cnf has fcontext admin_home_t by default, and logrotate has scontext of logrotate_t, which is not permitted getattr on admin_home_t. Either .my.cnf needs a new context, or an additional allow rule should be added so that the logrotate script /etc/logrotate.d/mysqld can use the login details in /root/.my.cnf when /usr/bin/mysqladmin executes ping & flush-logs.
It should be fixed in selinux-policy-targeted-3.10.0-76 You can update using $ yum update selinux-policy-targeted --enablerepo=updates-testing
Installed 3.10.0-78 (which yum update gave me) and tested on last night's logrotate, still received a denial: avc: denied { getattr } for pid=18817 comm="mysqladmin" path="/root/.my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file
It was added to the latest policy which is available from koji for now.
3.10.0-79 appears to have resolved the issue. I no longer receive the denial for /etc/logrotate.d/mysqld.
Correction... the denial is not longer logged, however the postrotate script still fails (output from cron): /usr/bin/mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'root'@'localhost' (using password: NO)' error: error running non-shared postrotate script for /var/log/mysqld.log of '/var/log/mysqld.log ' So mysqld is not performing flush-logs correctly...
Is this SELinux issue? Does it work in permissive mode?
Yes, if I setenforce 0 and let cron run logrotate for mysqld, the logs are rotated and compressed as expected, no error is reported. Performing the same with setenforce 1 results in the error above, and the rotated log is not compressed (I'm guessing as a result of the script error). ... both with the same initial conditions.
Scott Can you try to rotate them after executing semodule -DB Which will disable dontaudit rules. Then grab avc's related to logrotate. Turn back on dontaudit rules with semodule -B
Here's the denial: avc: denied { getattr } for pid=2292 comm="mysqladmin" path="/root/.my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file Was caused by: Unknown - should be dontaudit'd by active policy
Actually, re-ran with setenforce 0 to get all the denials: avc: denied { open } for pid=2782 comm="mysqladmin" name=".my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file avc: denied { read } for pid=2782 comm="mysqladmin" name=".my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file
Miroslav you need to back port changes from logrotate in f17. mysql_read_home_content(logrotate_t)
$ git log f16 commit d88e3a72eeefa0b97a559edac09c79060d1c4764 Author: Miroslav Grepl <mgrepl> Date: Tue Mar 13 23:03:38 2012 +0000 Allow logrotate to read mysql home content
Not sure how to see the diffs in the commit, but you might also want to remove the "don't audit" for the above errors (if appropriate) to ease tracking down similar issues in the future :)
You can check it on http://git.fedorahosted.org/git/?p=selinux-policy.git;a=shortlog;h=refs/heads/f16
Hmm... looks like the f16 tree hasn't been updated in over a month, and a search for the commit (even on the master branch) doesn't return any results.
Updated.
Tried this with selinux-policy-targeted-3.10.0-83, and it appears fixed. logrotate correctly flushed mysqld's logs when run from crond last night (had to re-enable log rotation which was disabled in a recent mysql update). Bug appears fixed, looking forward to seeing the package in testing :)
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.