日志旋转“权限被拒绝”错误
日志旋转“权限被拒绝”错误
提问于 2019-06-19 14:23:01
我试图使日志旋转工作,并继续获得以下错误信息。
/etc/cron.daily/logrotate:
error: error accessing /ftp/logs: Permission denied
error: error opening /ftp/logs/sftp_system.log: Permission denied以下是文件夹权限:
drwxrwx---. 2 psoft psoft 4096 Jun 19 09:05 logs以下是文件的权限:
-rw-rw-r--. 1 psoft psoft 43449642 Jun 19 09:15 sftp_system.log下面是配置:
/ftp/logs/sftp_system.log
{
su psoft psoft
size=25M
rotate 5
copytruncate
create 0664 psoft psoft
notifempty
}我假设日志旋转以root的形式运行。我尝试过更改文件和文件夹的权限和所有权,并且总是得到相同的消息。我的操作系统是Oracle Linux 7,基本上是Redhat 7。
root@DB-PRD1 etc]# ausearch -ts today -m avc -i
----
type=PROCTITLE msg=audit(06/19/2019 03:09:01.964:15543) : proctitle=/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
type=SYSCALL msg=audit(06/19/2019 03:09:01.964:15543) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fff6328bd90 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=25062 pid=25065 auid=root uid=root gid=root euid=psoft suid=root fsuid=psoft egid=psoft sgid=root fsgid=psoft tty=(none) ses=1688 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/19/2019 03:09:01.964:15543) : avc: denied { read } for pid=25065 comm=logrotate name=logs dev="dm-3" ino=2097153 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(06/19/2019 03:09:01.965:15544) : proctitle=/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
type=SYSCALL msg=audit(06/19/2019 03:09:01.965:15544) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x2574570 a1=O_RDWR|O_NOFOLLOW a2=0x2574570 a3=0x3630393130322d67 items=0 ppid=25062 pid=25065 auid=root uid=root gid=root euid=psoft suid=root fsuid=psoft egid=psoft sgid=root fsgid=psoft tty=(none) ses=1688 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/19/2019 03:09:01.965:15544) : avc: denied { read write } for pid=25065 comm=logrotate name=sftp_system.log dev="dm-3" ino=2097163 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 [root@DB-PRD1 etc]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29今天早上我收到了这封邮件:
/etc/cron.daily/logrotate:
error: error accessing /ftp/logs: Permission denied
error: error creating output file /ftp/logs/sftp_system.log-20190724: Permission denied[root@DB-PRD1 ftp]# ausearch -ts today -m avc -i
----
type=PROCTITLE msg=audit(07/24/2019 03:06:01.809:69341) : proctitle=/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
type=SYSCALL msg=audit(07/24/2019 03:06:01.809:69341) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffe0b8767d0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=21723 pid=21725 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7731 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/24/2019 03:06:01.809:69341) : avc: denied { read } for pid=21725 comm=logrotate name=logs dev="dm-3" ino=2097153 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(07/24/2019 03:06:01.809:69342) : proctitle=/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
type=SYSCALL msg=audit(07/24/2019 03:06:01.809:69342) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1ccb3a0 a1=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0xe items=0 ppid=21723 pid=21725 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7731 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/24/2019 03:06:01.809:69342) : avc: denied { write } for pid=21725 comm=logrotate name=logs dev="dm-3" ino=2097153 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0包含文件的目录也需要var_log_t访问才能工作吗?我要试一试,看看这会不会有什么不同。
[root@DB-PRD1 ftp]# ls -dZ logs
drwxrwx---. psoft psoft system_u:object_r:unlabeled_t:s0 logs
[root@DB-PRD1 logs]# ls -Z
-rw-rw-r--. psoft psoft system_u:object_r:var_log_t:s0 sftp_system.log回答 1
Unix & Linux用户
发布于 2019-06-19 15:14:43
您有SELinux附带的Centos。此安全组件阻止在上下文logrotate中运行的logrotate_t进程访问sftp_system.log文件。
解决方案是,通过更改文件的上下文,使log转速进程访问该文件,如下所示:
semanage fcontext -a -t var_log_t /ftp/logs/sftp_system.log
restorecon -v /ftp/logs/sftp_system.log如果没有semanage命令,请安装它,然后重试:
yum install -y policycoreutils-python或者(如果该包不存在):
yum install -y policycoreutils-python-utils或者,您可以将SFTP日志文件从/ftp/根移出/var/log,以自动获得正确的上下文。
页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/525849
复制相关文章
相似问题
腾讯云开发者
