I'm getting "denied" events in the audit log for logrotate: type=AVC msg=audit(1519632601.131:956): avc: denied { create } for pid=18754 comm="logrotate" name="logrotate.status.tmp" scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 type=AVC msg=audit(1519632601.131:956): avc: denied { write } for pid=18754 comm="logrotate" path="/var/lib/misc/logrotate.status.tmp" dev="sda2" ino=2843162 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 type=AVC msg=audit(1519632601.131:957): avc: denied { setattr } for pid=18754 comm="logrotate" name="logrotate.status.tmp" dev="sda2" ino=2843162 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 type=AVC msg=audit(1519632601.135:958): avc: denied { rename } for pid=18754 comm="logrotate" name="logrotate.status.tmp" dev="sda2" ino=2843162 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 logrotate is now putting the status file in /var/log/misc/ per bug 357275, but the policy still has it in /var/lib/. /var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t /var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t app-admin/logrotate-3.13.0 sec-policy/selinux-logrotate-2.20180114-r1
Patch submitted to upstream, it'll land in our next policy release. Apologies for the long delay!