cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff_Schaller
Flight Engineer
Flight Engineer
  • 3,067 Views

SELinux + logrotate + 3rd-party applications

I'd like to gather the community's perspectives on using SELinux in enforcing mode in combination with using logrotate to manage 3rd-party application logs. A standard cron job invokes logrotate, which has its own SELinux security context, and so is unable to create new log files (or execute application recycle scripts) in non-OS locations. How do you manage this?

1. Do you disable SELinux (and make Dan Walsh weep)?

2. Do you "semanage permissive -a logrotate_t"? (ref: 11.3.4.1. Making a Domain Permissive)  Do you follow up with more-specific rules on a machine-by-machine basis?

3. Do you hand-craft specific rules based on the AVC's?

4. Do you pipe the denials to "audit2allow" and apply it?

5. Do you not use logrotate for this at all?

Looking forward to the community expertise!

4 Replies
Lisenet
Starfighter Starfighter
Starfighter
  • 3,033 Views

It's usually a mix of 2, 3 and 4 for me, depending on how much effort is required to get it working.

jthiatt
Flight Engineer Flight Engineer
Flight Engineer
  • 3,025 Views

I agree with @Lisenet, really depends on the level of effort.

Option 1 should never be considred, we want to keep Dan happy. =)

Lisenet
Starfighter Starfighter
Starfighter
  • 3,019 Views

@jthiattI'm not sure on why would people want to disable SELinux. Unless it adds some performance penalty to your application which you are certain about, just set it to "permissive" and take it from here.

0 Kudos
jthiatt
Flight Engineer Flight Engineer
Flight Engineer
  • 3,009 Views

I see lots of people do it, they are the same people that like to turn off the firewall too.

You are exactly right, you should at least set it to permissive and figure out the denials instead of just disabling SELinux all together.

Join the discussion
You must log in to join this conversation.