How to configure logrotate for multiple httpd instances

Solution Verified - Updated -

Issue

When running multiple httpd instances on a single host (i.e. as suggested by Solution 21680) that has SELinux enabled and in enforcing mode, using a single logrotate configuration for log rotation may fail when a postrotate script similar to the following is used:

postrotate
      /bin/systemctl reload httpd*.service > /dev/null 2>/dev/null || true
endscript

The systemctl reload httpd*.service command works from command line, however, SELinux policy prevents logrotate listing active services matching the httpd*.service pattern when running as a cron or anacron job with an AVC denial in audit.log similar to the following:

type=USER_AVC msg=audit(1523410562.012:837): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 cmdline="/bin/systemctl reload httpd*.service" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Environment

  • Red Hat Enterprise Linux 7
  • Multiple instances of the Apache HTTP Server - httpd running on one host
  • Using single logrotate configuration for the rotation of all logs of all httpd instances

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content