How to configure logrotate for multiple httpd instances
Issue
When running multiple httpd instances on a single host (i.e. as suggested by Solution 21680) that has SELinux enabled and in enforcing mode, using a single logrotate configuration for log rotation may fail when a postrotate script similar to the following is used:
postrotate
/bin/systemctl reload httpd*.service > /dev/null 2>/dev/null || true
endscript
The systemctl reload httpd*.service command works from command line, however, SELinux policy prevents logrotate listing active services matching the httpd*.service pattern when running as a cron or anacron job with an AVC denial in audit.log similar to the following:
type=USER_AVC msg=audit(1523410562.012:837): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 cmdline="/bin/systemctl reload httpd*.service" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Environment
- Red Hat Enterprise Linux 7
- Multiple instances of the Apache HTTP Server -
httpdrunning on one host - Using single
logrotateconfiguration for the rotation of all logs of allhttpdinstances
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
