I'm getting "denied" events in the audit log for logrotate: type=AVC msg=audit(1519632601.131:956): avc: denied { create } for pid=18754 comm="logrotate" name="logrotate.status.tmp" scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 type=AVC msg=audit(1519632601.131:956): avc: denied { write } for pid=18754 comm="logrotate" path="/var/lib/misc/logrotate.status.tmp" dev="sda2" ino=2843162 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 type=AVC msg=audit(1519632601.131:957): avc: denied { setattr } for pid=18754 comm="logrotate" name="logrotate.status.tmp" dev="sda2" ino=2843162 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 type=AVC msg=audit(1519632601.135:958): avc: denied { rename } for pid=18754 comm="logrotate" name="logrotate.status.tmp" dev="sda2" ino=2843162 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1 logrotate is now putting the status file in /var/log/misc/ per bug 357275, but the policy still has it in /var/lib/. /var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t /var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t app-admin/logrotate-3.13.0 sec-policy/selinux-logrotate-2.20180114-r1
Patch submitted to upstream, it'll land in our next policy release. Apologies for the long delay!
I just noticed this ancient bug I started is still open. I don't run selinux any more but I see the base policy was fixed upstream in 2018: https://github.com/SELinuxProject/refpolicy/commit/a604ae7ca2b8c1afa76011c53aba214b2fee82e4 "Some distros configure logrotate to put its status file somewhere else than the default /var/lib/logrotate.status. Debian puts it in /var/lib/logrotate/, and Gentoo uses /var/lib/misc/." Can this bug be marked resolved fixed?
