Highlighted
Flight Engineer
Flight Engineer
  • 616 Views

SELinux + logrotate + 3rd-party applications

I'd like to gather the community's perspectives on using SELinux in enforcing mode in combination with using logrotate to manage 3rd-party application logs. A standard cron job invokes logrotate, which has its own SELinux security context, and so is unable to create new log files (or execute application recycle scripts) in non-OS locations. How do you manage this?

1. Do you disable SELinux (and make Dan Walsh weep)?

2. Do you "semanage permissive -a logrotate_t"? (ref: 11.3.4.1. Making a Domain Permissive)  Do you follow up with more-specific rules on a machine-by-machine basis?

3. Do you hand-craft specific rules based on the AVC's?

4. Do you pipe the denials to "audit2allow" and apply it?

5. Do you not use logrotate for this at all?

Looking forward to the community expertise!

0 Kudos
4 Replies
Highlighted
Starfighter Starfighter
Starfighter
  • 588 Views

Re: SELinux + logrotate + 3rd-party applications

It's usually a mix of 2, 3 and 4 for me, depending on how much effort is required to get it working.

Reply
Loading...
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 580 Views

Re: SELinux + logrotate + 3rd-party applications

I agree with @Lisenet, really depends on the level of effort.

Option 1 should never be considred, we want to keep Dan happy. =)

0 Kudos
Reply
Loading...
Highlighted
Starfighter Starfighter
Starfighter
  • 574 Views

Re: SELinux + logrotate + 3rd-party applications

@jthiattI'm not sure on why would people want to disable SELinux. Unless it adds some performance penalty to your application which you are certain about, just set it to "permissive" and take it from here.

0 Kudos
Reply
Loading...
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 564 Views

Re: SELinux + logrotate + 3rd-party applications

I see lots of people do it, they are the same people that like to turn off the firewall too.

You are exactly right, you should at least set it to permissive and figure out the denials instead of just disabling SELinux all together.

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.