related bug: 522024 The solution requires having logrotate su to the mysql user and then running the flushlogs command by doing: /bin/su -c '/usr/bin/mysqladmin flush-logs -u mysql' -s /bin/sh mysql The logrotate_t domain has: mysql_read_config(logrotate_t) mysql_stream_connect(logrotate_t) which seems enough. When logrotate executes, I get: type=AVC msg=audit(1421588401.221:247): avc: denied { create } for pid=9642 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:logrotate_t tclass=netlink_selinux_socket with semanage permissive -a logrotate : type=AVC msg=audit(1421589001.915:256): avc: denied { create } for pid=10386 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:logrotate_t tclass=netlink_selinux_socket type=SYSCALL msg=audit(1421589001.915:256): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=10385 pid=10386 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="su" exe="/bin/su" subj=system_u:system_r:logrotate_t key=(null) type=AVC msg=audit(1421589001.915:257): avc: denied { bind } for pid=10386 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:logrotate_t tclass=netlink_selinux_socket type=SYSCALL msg=audit(1421589001.915:257): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7fffe704a5f0 a2=c a3=1 items=0 ppid=10385 pid=10386 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="su" exe="/bin/su" subj=system_u:system_r:logrotate_t key=(null) type=SOCKADDR msg=audit(1421589001.915:257): saddr=100000000000000001000000 type=AVC msg=audit(1421589001.915:258): avc: denied { write } for pid=10386 comm="su" name="access" dev="selinuxfs" ino=6 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:security_t tclass=file type=AVC msg=audit(1421589001.915:259): avc: denied { compute_av } for pid=10386 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:security_t tclass=security type=AVC msg=audit(1421589001.925:260): avc: denied { execute } for pid=10387 comm="su" name="unix_chkpwd" dev="xvda" ino=2228305 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:chkpwd_exec_t tclass=file type=AVC msg=audit(1421589001.925:260): avc: denied { read open } for pid=10387 comm="su" path="/sbin/unix_chkpwd" dev="xvda" ino=2228305 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:chkpwd_exec_t tclass=file type=AVC msg=audit(1421589001.925:260): avc: denied { execute_no_trans } for pid=10387 comm="su" path="/sbin/unix_chkpwd" dev="xvda" ino=2228305 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:chkpwd_exec_t tclass=file type=SYSCALL msg=audit(1421589001.925:260): arch=c000003e syscall=59 success=yes exit=0 a0=7fdaafe9324d a1=7fffe704a440 a2=7fdab0096028 a3=7fdab06c9090 items=2 ppid=10386 pid=10387 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=system_u:system_r:logrotate_t key=(null) type=EXECVE msg=audit(1421589001.925:260): argc=3 a0="/sbin/unix_chkpwd" a1="mysql" a2="chkexpiry" type=CWD msg=audit(1421589001.925:260): cwd="/" type=PATH msg=audit(1421589001.925:260): item=0 name="/sbin/unix_chkpwd" inode=2228305 dev=ca:00 mode=0104711 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t nametype=NORMAL type=PATH msg=audit(1421589001.925:260): item=1 name=(null) inode=1048827 dev=ca:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t nametype=NORMAL type=AVC msg=audit(1421589001.928:261): avc: denied { read } for pid=10387 comm="unix_chkpwd" name="shadow" dev="xvda" ino=393868 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC msg=audit(1421589001.928:261): avc: denied { open } for pid=10387 comm="unix_chkpwd" path="/etc/shadow" dev="xvda" ino=393868 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC msg=audit(1421589001.928:262): avc: denied { getattr } for pid=10387 comm="unix_chkpwd" path="/etc/shadow" dev="xvda" ino=393868 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC msg=audit(1421589001.971:263): avc: denied { dac_read_search } for pid=10393 comm="mandb" capability=2 scontext=system_u:system_r:mandb_t tcontext=system_u:system_r:mandb_t tclass=capability type=AVC msg=audit(1421589001.971:263): avc: denied { dac_override } for pid=10393 comm="mandb" capability=1 scontext=system_u:system_r:mandb_t tcontext=system_u:system_r:mandb_t tclass=capability type=SYSCALL msg=audit(1421589001.971:263): arch=c000003e syscall=59 success=yes exit=0 a0=7fff4e5d0d25 a1=7fff4e5d0f10 a2=7fff4e5d0f28 a3=7f5d9c8f1d10 items=2 ppid=10376 pid=10393 auid=1000 uid=0 gid=0 euid=13 suid=13 fsuid=13 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mandb" exe="/usr/bin/mandb" subj=system_u:system_r:mandb_t key=(null) type=EXECVE msg=audit(1421589001.971:263): argc=2 a0="mandb" a1="--quiet" type=CWD msg=audit(1421589001.971:263): cwd="/" type=PATH msg=audit(1421589001.971:263): item=0 name="/usr/bin/mandb" inode=2752536 dev=ca:00 mode=0104711 ouid=13 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t nametype=NORMAL type=PATH msg=audit(1421589001.971:263): item=1 name=(null) inode=1048827 dev=ca:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t nametype=NORMAL Reproducible: Always