Uploaded image for project: 'PuppetDB'
  1. PuppetDB
  2. PDB-901

Logrotate of puppetdb does not work (SELinux)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • PDB 1.6.0, PDB 2.2.0
    • None
    • PuppetDB

    • Debian Wheezy, SELinux in targeted enforcing mode.

    • PuppetDB

    Description

      Each and every day I get the following email:
      /etc/cron.daily/logrotate:
      error: error switching euid to 116 and egid to 121: Operation not permitted
      run-parts: /etc/cron.daily/logrotate exited with return code 1

      This happens because of the "su puppetdb puppetdb" line in puppetdb's logrotate configuration, which in turn triggers the following SELinux policy rule:

      root@zarquon:~# sesearch -t logrotate_t -s logrotate_t --dontaudit
      Found 1 semantic av rules:
      dontaudit logrotate_t logrotate_t : capability

      { setgid setuid sys_ptrace }

      ;

      As a workaround, I could change the SELinux policy, but I'm reluctant to do that, as this is a rule that is explicitly denied.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. PDB-71 PR (742): (packaging) (#20148) Update logrotate script when appropriate - shrug

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              Unassigned Unassigned
              bartjan Bart-Jan Vrielink
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support