Description Jason Zaman 2015-01-18 13:53:11 UTC

related bug: 522024

The solution requires having logrotate su to the mysql user and then running the flushlogs command by doing:
/bin/su -c '/usr/bin/mysqladmin flush-logs -u mysql' -s /bin/sh mysql

The logrotate_t domain has:
mysql_read_config(logrotate_t)
mysql_stream_connect(logrotate_t)
which seems enough.

When logrotate executes, I get:
type=AVC msg=audit(1421588401.221:247): avc:  denied  { create } for  pid=9642 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:logrotate_t tclass=netlink_selinux_socket


with semanage permissive -a logrotate :

type=AVC msg=audit(1421589001.915:256): avc:  denied  { create } for  pid=10386 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:logrotate_t tclass=netlink_selinux_socket
type=SYSCALL msg=audit(1421589001.915:256): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=10385 pid=10386 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="su" exe="/bin/su" subj=system_u:system_r:logrotate_t key=(null)
type=AVC msg=audit(1421589001.915:257): avc:  denied  { bind } for  pid=10386 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:logrotate_t tclass=netlink_selinux_socket
type=SYSCALL msg=audit(1421589001.915:257): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7fffe704a5f0 a2=c a3=1 items=0 ppid=10385 pid=10386 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="su" exe="/bin/su" subj=system_u:system_r:logrotate_t key=(null)
type=SOCKADDR msg=audit(1421589001.915:257): saddr=100000000000000001000000
type=AVC msg=audit(1421589001.915:258): avc:  denied  { write } for  pid=10386 comm="su" name="access" dev="selinuxfs" ino=6 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:security_t tclass=file
type=AVC msg=audit(1421589001.915:259): avc:  denied  { compute_av } for  pid=10386 comm="su" scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:security_t tclass=security
type=AVC msg=audit(1421589001.925:260): avc:  denied  { execute } for  pid=10387 comm="su" name="unix_chkpwd" dev="xvda" ino=2228305 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:chkpwd_exec_t tclass=file
type=AVC msg=audit(1421589001.925:260): avc:  denied  { read open } for  pid=10387 comm="su" path="/sbin/unix_chkpwd" dev="xvda" ino=2228305 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:chkpwd_exec_t tclass=file
type=AVC msg=audit(1421589001.925:260): avc:  denied  { execute_no_trans } for  pid=10387 comm="su" path="/sbin/unix_chkpwd" dev="xvda" ino=2228305 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:chkpwd_exec_t tclass=file
type=SYSCALL msg=audit(1421589001.925:260): arch=c000003e syscall=59 success=yes exit=0 a0=7fdaafe9324d a1=7fffe704a440 a2=7fdab0096028 a3=7fdab06c9090 items=2 ppid=10386 pid=10387 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=system_u:system_r:logrotate_t key=(null)
type=EXECVE msg=audit(1421589001.925:260): argc=3 a0="/sbin/unix_chkpwd" a1="mysql" a2="chkexpiry"
type=CWD msg=audit(1421589001.925:260):  cwd="/"
type=PATH msg=audit(1421589001.925:260): item=0 name="/sbin/unix_chkpwd" inode=2228305 dev=ca:00 mode=0104711 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t nametype=NORMAL
type=PATH msg=audit(1421589001.925:260): item=1 name=(null) inode=1048827 dev=ca:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t nametype=NORMAL
type=AVC msg=audit(1421589001.928:261): avc:  denied  { read } for  pid=10387 comm="unix_chkpwd" name="shadow" dev="xvda" ino=393868 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:shadow_t tclass=file
type=AVC msg=audit(1421589001.928:261): avc:  denied  { open } for  pid=10387 comm="unix_chkpwd" path="/etc/shadow" dev="xvda" ino=393868 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:shadow_t tclass=file
type=AVC msg=audit(1421589001.928:262): avc:  denied  { getattr } for  pid=10387 comm="unix_chkpwd" path="/etc/shadow" dev="xvda" ino=393868 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:shadow_t tclass=file
type=AVC msg=audit(1421589001.971:263): avc:  denied  { dac_read_search } for  pid=10393 comm="mandb" capability=2  scontext=system_u:system_r:mandb_t tcontext=system_u:system_r:mandb_t tclass=capability
type=AVC msg=audit(1421589001.971:263): avc:  denied  { dac_override } for  pid=10393 comm="mandb" capability=1  scontext=system_u:system_r:mandb_t tcontext=system_u:system_r:mandb_t tclass=capability
type=SYSCALL msg=audit(1421589001.971:263): arch=c000003e syscall=59 success=yes exit=0 a0=7fff4e5d0d25 a1=7fff4e5d0f10 a2=7fff4e5d0f28 a3=7f5d9c8f1d10 items=2 ppid=10376 pid=10393 auid=1000 uid=0 gid=0 euid=13 suid=13 fsuid=13 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mandb" exe="/usr/bin/mandb" subj=system_u:system_r:mandb_t key=(null)
type=EXECVE msg=audit(1421589001.971:263): argc=2 a0="mandb" a1="--quiet"
type=CWD msg=audit(1421589001.971:263):  cwd="/"
type=PATH msg=audit(1421589001.971:263): item=0 name="/usr/bin/mandb" inode=2752536 dev=ca:00 mode=0104711 ouid=13 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t nametype=NORMAL
type=PATH msg=audit(1421589001.971:263): item=1 name=(null) inode=1048827 dev=ca:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t nametype=NORMAL


Reproducible: Always