All,
I am facing an issue as log rotation not working for me as expected for tomcat in centos 7.2. I configured log rotation command in crontab
*/5 * * * * root /usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
I am trying to rotate below tomcat logs owned by application userID.
/usr/local/tomcat/logs
ls -ltr catalina*
-rw-r-----. 1 appid appgrp 8910 Jun 17 19:28 catalina.2016-06-17.log
-rw-r-----. 1 appid appgrp 104739 Jun 20 17:28 catalina.2016-06-20.log
-rw-r-----. 1 appid appgrp 26051 Jul 1 17:00 catalina.2016-07-01.log
-rw-r-----. 1 appid appgrp 39238 Jul 20 20:34 catalina.2016-07-20.log
-rw-r-----. 1 appid appgrp 6141522000 Aug 4 19:05 catalina.out
if you see above files it's a 6GB of catalina.out where it should get rotated at 10M itself which didn't happen.
CentOS Linux release 7.2.1511 (Core)
/usr/local/tomcat/logs/catalina.out
{
rotate 25
size 10M
missingok
start 0
nodateext
notifempty
compress
delaycompress
copytruncate
create 744 crtc crtc
sharedscripts
postrotate
endscript
}
I checked audit logs and found below error message
type=AVC msg=audit(1470324541.165:210294): avc: denied { create } for pid=11644 comm="logrotate" name="catalina.out.0" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1470325921.157:98): avc: denied { write } for pid=2790 comm="logrotate" name="catalina.out.0" dev="vda1" ino=658223 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
I tried to create a logrotate_t.pp file still no luck. It's working only when I put selinux in permissive mode it's working
# getenforce
Permissive
Is there any alternate work around to deal this issue as I don't want to keep selinux in permissive mode.
Thanks in advance.
Shekar