View Issue Details

IDProjectCategoryView StatusLast Update
0004225Rocky-Linux-9selinux-policypublic2023-09-15 09:14
ReporterJamie Burchell Assigned To 
Status newResolutionopen 
PlatformLinuxOSRocky LinuxOS Version9.2
Summary0004225: logrotate cannot read directories labelled httpd_sys_content_t
DescriptionI store log files for individual virtual hosts in /var/www/vhosts/foo/log which has a directory label of httpd_log_t.

SELinux denies access to read the vhosts directory:

type=AVC msg=audit(1694646003.329:8073): avc: denied { read } for pid=32077 comm="logrotate" name="vhosts" dev="vda1" ino=335544449 scontext=system_u:system_r:logrotate_t:s0 tcontext=unconf

Using this logrotate config:

/var/log/php-fpm/*log /var/www/vhosts/*/log/*log {
        /bin/kill -SIGUSR1 `cat /run/php-fpm/ 2>/dev/null` 2>/dev/null || true
Steps To ReproduceCreate the above directory structure with logrotate config and trigger the systemd timer for logrotate.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2023-09-15 09:14 Jamie Burchell New Issue