Re: SELinux + logrotate + 3rd-party applications

Jeff_Schaller · ‎09-08-2018

I'd like to gather the community's perspectives on using SELinux in enforcing mode in combination with using logrotate to manage 3rd-party application logs. A standard cron job invokes logrotate, which has its own SELinux security context, and so is unable to create new log files (or execute application recycle scripts) in non-OS locations. How do you manage this?

1. Do you disable SELinux (and make Dan Walsh weep)?

2. Do you "semanage permissive -a logrotate_t"? (ref: 11.3.4.1. Making a Domain Permissive) Do you follow up with more-specific rules on a machine-by-machine basis?

3. Do you hand-craft specific rules based on the AVC's?

4. Do you pipe the denials to "audit2allow" and apply it?

5. Do you not use logrotate for this at all?

Looking forward to the community expertise!

Lisenet · ‎09-10-2018

It's usually a mix of 2, 3 and 4 for me, depending on how much effort is required to get it working.

jthiatt · ‎09-10-2018

I agree with @Lisenet, really depends on the level of effort.

Option 1 should never be considred, we want to keep Dan happy. =)

Lisenet · ‎09-10-2018

@jthiattI'm not sure on why would people want to disable SELinux. Unless it adds some performance penalty to your application which you are certain about, just set it to "permissive" and take it from here.

jthiatt · ‎09-10-2018

I see lots of people do it, they are the same people that like to turn off the firewall too.

You are exactly right, you should at least set it to permissive and figure out the denials instead of just disabling SELinux all together.