How to configure logrotate for multiple httpd instances
Issue
When running multiple httpd
instances on a single host (i.e. as suggested by Solution 21680) that has SELinux
enabled and in enforcing mode, using a single logrotate
configuration for log rotation may fail when a postrotate
script similar to the following is used:
postrotate
/bin/systemctl reload httpd*.service > /dev/null 2>/dev/null || true
endscript
The systemctl reload httpd*.service
command works from command line, however, SELinux
policy prevents logrotate
listing active services matching the httpd*.service
pattern when running as a cron
or anacron
job with an AVC denial in audit.log
similar to the following:
type=USER_AVC msg=audit(1523410562.012:837): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 cmdline="/bin/systemctl reload httpd*.service" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Environment
- Red Hat Enterprise Linux 7
- Multiple instances of the Apache HTTP Server -
httpd
running on one host - Using single
logrotate
configuration for the rotation of all logs of allhttpd
instances
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.