logrotate problems, again.

Daniel J Walsh dwalsh at redhat.com
Mon Oct 27 19:18:31 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:
> Greetings;
> 
> Like most who run fetchmail, I have cobbled up a script for logrotate to 
> maintain the logs.
> 
> Unforch, every time I think I have it running correctly for about a month, 
> then selinux has to get into the act.  From an email I got this morning:
> ------
> /etc/cron.daily/logrotate:
> 
> system_u:system_r:unconfined_t:s0 is not a valid context
> error: error running non-shared postrotate script for /var/log/fetchmail.log 
> of '/var/log/fetchmail.log '
> --------
> 
> So I assume its failed again.
> -------------------
> [root at coyote ~]# ls -l --lcontext /var/log/fetchmail.*
> -rw------- 1 system_u:object_r:var_log_t:s0   gene gene        0 2008-10-26 
> 03:13 /var/log/fetchmail.log
> -rw-r--r-- 1 system_u:object_r:var_log_t:s0   gene gene 80343007 2008-09-28 
> 06:13 /var/log/fetchmail.log-20080928
> -rw------- 1 system_u:object_r:var_log_t:s0   gene gene   202387 2008-10-05 
> 05:09 /var/log/fetchmail.log-20081005.gz
> -rw------- 1 system_u:object_r:var_log_t:s0   gene gene   197849 2008-10-12 
> 05:09 /var/log/fetchmail.log-20081012.gz
> -rw------- 1 system_u:object_r:var_log_t:s0   gene gene   196517 2008-10-19 
> 05:09 /var/log/fetchmail.log-20081019.gz
> -rw------- 1 system_u:object_r:var_log_t:s0   gene gene  3298789 2008-10-26 
> 03:13 /var/log/fetchmail.log-20081026
> --------------------
> 
> And I haven't fixed anything.  And as can be seen from the size, it did fail.
> 
> Here is that stanza of logrotate's input 'mail' script:
> ---------------------------------
> # Logrotate file for fetchmail.log and procmail.log
>  
> /var/log/fetchmail.log {
> 	missingok
> 	compress
> 	notifempty
> 	weekly
> 	rotate 5
> 	create 0600 gene gene
>         postrotate
>                /usr/bin/killall fetchmail
> 		sleep 1
> ========
> # It appears that the non-logged in syntax is incorrect, so it did not restart 
> # fetchmail, causing the email above.
> 		runcon -t unconfined_t -- runuser -l -c "fetchmail -d 
> 90 --fetchmailrc /home/gene/.fetchmailrc" gene
> 
This command is asking the system to run a process as

system_u:system_r:unconfined_t which is not valid on F9 or Rawhide.

And this is probably not something you want to do.
> # So the above line has been commented, and this line substituted, which 
> # worked to restart fetchmail right now.
> 
> su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc"
> 
> # Which explains the email message from anacron, but this still leaves the 
> # question as to why the log was NOT rotated.  It was not.  Next question:
> # Does anacron have rights to su to gene?
> 
> ========
>         endscript
> }
> /var/log/procmail.log {
>         missingok
>         compress
>         notifempty
>         weekly
>         rotate 5
>         create 0600 gene gene
> }
> -----------------------------
> 
> Its a bit confusing to me because the syntax I must use when I launch 
> fetchmail from rc.local, where no one is logged in yet during the bootup, is 
> different from the syntax I have to use when I'm logged in, usually as root.  
> And here, since it runs 24/7, there is me logged in.
> 
> What is the permanent cure for this problem please?
> 
> Thanks.
> 

I am not sure why logrotate could not rotate the log file.

Is the script trying to run fetchmail as the user gene?  What AVC are
you seeing?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkGFAcACgkQrlYvE4MpobPrlACg2deOqAPyGnXHxlZCp67GgJhq
N0UAn2HXxw85mT5MPlhekOg8PkQRMb4J
=vtX/
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list