SELinux denies “systemctl kill” when used in Anacron postrotate script on CentOS 7
I'm using backup software called UrBackup, which I've configured to rotate its logs once a day through cron.daily. After the logs are rotated, the software uses a postrotate script to send the running process a HUP signal with "systemctl kill". However, SELinux is denying this operation, and I can't figure out how to fix it.
Here is the entire logrotate config file for UrBackup from /etc/logrotate.d:
"/var/log/urbackup.log" {
daily
rotate 30
missingok
create 640 urbackup urbackup
compress
postrotate
test -e /var/run/urbackupsrv.pid && kill -HUP 'cat /var/run/urbackupsrv.pid' || /bin/systemctl kill -s HUP urbackup-server.service
endscript
}
As I've found, the following problematic postrotate script is being executed on the system:
/bin/systemctl kill -s HUP urbackup-server.service
SELinux is blocking this. Here is the relevant log entry from /var/log/messages:
Nov 14 03:33:33 backup4 kernel: type=1107 audit(1510648413.518:4407695): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=0 uid=0 gid=0 path="/usr/lib/systemd/system/urbackup-server.service" cmdline="/bin/systemctl kill -s HUP urbackup-server.service" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service#012 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Nov 14 03:33:33 backup4 logrotate: ALERT exited abnormally with [1]
Because the HUP signal is not sent to the service, it doesn't know that the logfiles have been rotated, and it continues writing indefinitely into an old (rotated) log.
I tried to troubleshoot this using the sealert utility to provide an explanation of all errors in /var/log/audit/audit.log. However, it appears to ignore this error, even though the log entry appears in audit.log.
I also tried running the "systemctl kill" command interactively as root. It completes without any error. The same goes for a manual running of logrotate:
logrotate -f /etc/logrotate.d/urbackup-server
That command also runs without problems. The only time I'm seeing the SELinux denial is when logrotate is triggered by the daily Anacron process.
Is the "systemctl kill" command explicitly not allowed by SELinux? If so, why can I run it interactively, but not when started through cron? Is there any way I can add an exception for this case, or another way I can send the HUP signal to the process so it will write into the correct log file?
Thank you very much for any assistance.
In het bijzonder is context logrotate_t niet toegestaan systemd_unit_file_t . Je interactieve uitvoering ervan bevindt zich in een andere context.
Benieuwd dat het door de pid-bestandstest viel. Als dat pid-bestand niet bestaat terwijl de service actief is, probeer dan PIDFile = / var / run / urbackupsrv.pid toe te voegen aan de urbackup-server.service eenheid.
Daar zijn manieren om domeinovergang in SELinux te definiëren, maar probeer eerst het pid-bestand.