https://bugzilla.redhat.com/show_bug.cgi?id=1426600
Bug ID: 1426600 Summary: /etc/logrotate.d/rabbitmq-server leads to "Password: su: Authentication failure" Product: Fedora EPEL Version: epel7 Component: rabbitmq-server Severity: medium Assignee: lemenkov@gmail.com Reporter: redhat-bugzilla@linuxnetz.de QA Contact: extras-qa@fedoraproject.org CC: erlang@lists.fedoraproject.org, hubert.plociniczak@gmail.com, jeckersb@redhat.com, josh@fornwall.com, lemenkov@gmail.com, rjones@redhat.com, robert.scheck@etes.de, s@shk.io
Description of problem: /etc/logrotate.d/rabbitmq-server leads to the following logrotate failures:
--- snipp --- Date: Fri, 24 Feb 2017 03:37:11 +0100 (CET) From: Anacron root@tux.example.net To: root@tux.example.net Subject: Anacron job 'cron.daily' on tux.example.net Message-Id: 20170224023711.2735E406C4@tux.example.net
/etc/cron.daily/logrotate:
Password: su: Authentication failure error: error running shared postrotate script for '/var/log/rabbitmq/*.log ' --- snapp ---
Version-Release number of selected component (if applicable): rabbitmq-server-3.3.5-31.el7.noarch
How reproducible: Everytime, just install rabbitmq-server on RHEL 7.3 with SELinux enforced.
Actual results: /etc/logrotate.d/rabbitmq-server leads failure messages.
Expected results: Working logrotate via /etc/logrotate.d/rabbitmq-server simply.
https://bugzilla.redhat.com/show_bug.cgi?id=1426600
Gerald Vogt vogt@spamcop.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |vogt@spamcop.net
--- Comment #1 from Gerald Vogt vogt@spamcop.net --- Same here. The problem is the su in the rabbitmqctl script. To reproduce you can set up a simple cron job:
/etc/cron.d/test: * * * * * root /root/test.sh
/root/test.sh: #! /bin/bash echo "id: `id`" echo "id -r -u: `id -r -u`" echo "id -r -g: `id -r -g`" su rabbitmq -s /bin/sh -c "id" ---------
Set context of test.sh to system_u:object_r:logrotate_exec_t:s0.
Output of cronjob: id: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:logrotate_t:s0-s0:c0.c1023 id -r -u: 0 id -r -g: 0 Password: su: Authentication information cannot be recovered ---------
audit.log contains: type=USER_AVC msg=audit(1488708062.169:189724): pid=21967 uid=0 auid=0 ses=5787 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc: denied { passwd } for scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' ---------
This happens even if a local policy has been added to allow it: # audit2allow < /var/log/audit/audit.log
#============= logrotate_t ==============
#!!!! This avc is allowed in the current policy allow logrotate_t self:passwd passwd; ---------
I have modified /etc/pam.d/su to enable debug output for rootok: auth sufficient pam_rootok.so debug
and /var/log/secure also contains the following message then: su: pam_rootok(su:auth): root check failed
If the test script is bin_t instead of logrotate_exec_t it works.
sudo instead of su also works.
Thus, either selinux needs to be adjusted or the rabbitmqctl script should use sudo instead of su to change from root to rabbitmq user.
https://bugzilla.redhat.com/show_bug.cgi?id=1426600
Alex aizmaylov@infoxchange.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aizmaylov@infoxchange.org
--- Comment #2 from Alex aizmaylov@infoxchange.org --- Hi Redhat
We also met the same problem.
CentOS Linux release 7.3.1611 Kernel 4.12.8-1.el7.elrepo.x86_64 Rabbitmq-server 3.6.9-1
E-mail from logrotate: ======================================================== To: "root@pm-mq-02" root@pm-mq-02 Subject: Anacron job 'cron.daily' on pm-mq-02
/etc/cron.daily/logrotate:
Password: su: Authentication failure error: error running shared postrotate script for '/var/log/rabbitmq/*.log ' ========================================================
https://bugzilla.redhat.com/show_bug.cgi?id=1426600
Robert Scheck redhat-bugzilla@linuxnetz.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(lemenkov@gmail.co | |m)
https://bugzilla.redhat.com/show_bug.cgi?id=1426600
Peter Lemenkov plemenko@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1413775
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1413775 [Bug 1413775] rabbitmqctl rotate_logs issues with selinux in OSP 9 and 10
https://bugzilla.redhat.com/show_bug.cgi?id=1426600 Bug 1426600 depends on bug 1413775, which changed state.
Bug 1413775 Summary: rabbitmqctl rotate_logs issues with selinux in OSP 9 and 10 https://bugzilla.redhat.com/show_bug.cgi?id=1413775
What |Removed |Added ---------------------------------------------------------------------------- Status|POST |CLOSED Resolution|--- |CURRENTRELEASE
erlang@lists.fedoraproject.org