日誌錯誤統計失敗:LogRotation 期間權限被拒絕
安裝新的 CentOS 6.0 伺服器後,logrotate 工作得非常好。然後有一天,由於核心恐慌,伺服器不得不硬啟動,並且因為日誌輪換沒有輪換日誌。
所以我做了一個單獨的 cron 條目來手動強制輪換日誌,並將輸出重定向到一個日誌文件,並為每個文件獲取以下行:
rotating pattern: /home/mail3/log/popMailProcessing.log forced from command line (60 rotations) empty log files are rotated, old logs are removed considering log /home/mail3/log/popMailProcessing.log error: stat of /home/mail3/log/popMailProcessing.log failed: Permission denied但是,如果我從命令行手動進行 logrotation,它可以完美執行。我在命令行上使用的命令是:
logrotate -v -f /etc/logrotate.d/mail3-logs我的 logrotate.conf 文件是:
# see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # use date as a suffix of the rotated file dateext # uncomment this if you want your log files compressed compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp and btmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp minsize 1M rotate 1 } /var/log/btmp { missingok monthly create 0600 root utmp rotate 1 } # system-specific logs may be also be configured here.logrotate 通過 cron 作業使用的日誌輪換文件是:
dateext /home/mail3/log/pop.log { daily rotate 60 copytruncate compress } /home/mail3/log/oc4j.log { daily rotate 60 copytruncate compress } /home/mail3/log/incoming.log { daily rotate 60 copytruncate compress } /home/mail3/log/mailpro.log { daily rotate 60 copytruncate compress } /home/mail3/log/imap.log { daily rotate 60 copytruncate compress } /home/mail3/log/outgoing.log { daily rotate 60 copytruncate compress } /home/mail3/log/smtpout.log { daily rotate 60 copytruncate compress } /home/mail3/log/retry.log { daily rotate 60 copytruncate compress } /home/mail3/log/mailinglist.log { daily rotate 60 copytruncate compress } /home/mail3/log/migrate.log { daily rotate 60 copytruncate compress }我的 crontab 條目是:
03 00 * * * root /usr/sbin/logrotate -f -v /etc/logrotate.d/mail3-logs &>> /var/log/logrotate/rotate.logSELinux 正在執行,它也在硬啟動之前執行。保存日誌的目錄以 root 作為其所有者,並且該目錄具有完整的權限。
任何線索是什麼導致權限被拒絕錯誤?
您的原始錯誤消息與您為執行
logrotate.rotating pattern: /home/mail3/log/popMailProcessing.log forced from command line (60 rotations) empty log files are rotated, old logs are removed considering log /home//log/popMailProcessing.log error: stat of /home/mail3/log/popMailProcessing.log failed: Permission denied這些路徑在做什麼
/home/mail3/log/*?還缺少什麼/home//log/popMailProcessing.log?似乎您只是在問題中顯示了一些實際情況。調試問題
將此行放入 shell 腳本中
logrotate.sh:#!/bin/bash /usr/sbin/logrotate -f -v /etc/logrotate.d/mail3-logs &>> /var/log/logrotate/rotate.log使其可執行並像這樣從 cron 執行它:
03 00 * * * root strace -s 2000 -o /tmp/strace.log /path/to/logrotate.bash在瀏覽輸出時,您應該看到權限問題導致的問題。
編輯#1
在與 OP 交談後,他提到上述調試技術發現 SELinux 已啟用。他很困惑為什麼會出現這種情況,因為他之前用命令禁用了它
setenforce 0。以這種方式禁用 SELinux 只會保持這種狀態,直到下次重新啟動。SELinux 的預設模式由 Fedora/CentOS 上的這個文件決定:
$ cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted要永久禁用 SELinux,您需要將該行更改
SELINUX=..為 3 種狀態之一,enforcing,permissive,disabled。但是,我鼓勵您花時間了解為什麼 SELinux 不允許訪問這些日誌文件所在的目錄,並添加適當的上下文以便 SELinux 允許此訪問。SELinux 是分層安全模型的重要組成部分,它在使用它的 Linux 發行版上得到了促進,而盲目地禁用它會帶走其中一個關鍵層。
參考
我認為禁用 SELinux 不是最好的選擇。在我看來,更好的解決方案是創建和應用策略。這是如何為其他策略執行此操作的範例http://www.greenvalleyconsulting.org/2015/01/28/installing-coldfusion-11-on-centos-6-6-with-selinux-enforcing/。相同的概念將適用於 logrotate_t 策略,而不是連結中概述的 httpd_t。
請參閱連結中安裝 policycoreutils-python 的步驟。然後執行
grep logrotate /var/log/audit/audit.log | audit2why
audit2allow -a尋找 logrotate_t,它更有可能看起來像這樣
#============= logrotate_t ============== allow logrotate_t file_t:file getattr;然後執行
audit2allow -a -M logrotate_t
semodule -i logrotate_t.pp
chcon -R -t logrotate_t /[your log file location]/*.log