Selinux prevents log rotation

Help
1

I’ve got Caddy installed from @caddy/caddy Copr via DNF: v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

# ls -lZ /usr/bin/caddy 
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_exec_t:s0 40972440 Sep 30 16:29 /usr/bin/caddy

# ls -alZ /var/log/caddy/
total 106124
drwxr-xr-x.  2 caddy caddy system_u:object_r:httpd_log_t:s0        65 Oct  1 18:20 .
drwxr-xr-x. 11 root  root  system_u:object_r:var_log_t:s0        4096 Oct  1 00:01 ..
-rw-------.  1 caddy caddy system_u:object_r:httpd_log_t:s0 104856960 Oct  2 14:33 access.log

So both the Caddy executable and the /var/log/caddy/ dir are labeled properly for the selinux httpd_t domain.
And yet it keeps denying any changes to the logs.

SELinux is preventing caddy from remove_name access on the directory /var/log/caddy/access.log.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/log/caddy/access.log default label should be var_log_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/log/caddy/access.log

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that caddy should be allowed remove_name access on the access.log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'caddy' --raw | audit2allow -M my-caddy
# semodule -X 300 -i my-caddy.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_log_t:s0
Target Objects                /var/log/caddy/access.log [ dir ]
Source                        caddy
Source Path                   caddy
Port                          <Unknown>
Host                          propserver.mega.corp
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.27-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.27-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     propserver.mega.corp
Platform                      Linux propserver.mega.corp
                              6.10.10-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Thu
                              Sep 12 18:26:09 UTC 2024 x86_64
Alert Count                   29329
First Seen                    2024-10-02 14:33:03 CEST
Last Seen                     2024-10-03 01:27:36 CEST
Local ID                      4e6ec791-946a-4b7d-8915-33ad94198f35

Raw Audit Messages
type=AVC msg=audit(1727911656.528:288): avc:  denied  { remove_name } for  pid=1409 comm="caddy" name="access.log" dev="dm-0" ino=931 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=0


Hash: caddy,httpd_t,httpd_log_t,dir,remove_name

I have inspected the RPM post-install SELinux instructions in dist/rpm/caddy.spec at master · caddyserver/dist · GitHub and I have verified that indeed all have been applied, yet the issue persists.

I’ve been trying to figure out what I keeps denying for a couple hours now, but so far haven’t been able to figure out what the problem is. The suggested relabeling to var_log_t seems like bad idea to me, since that would screw up the httpd_t SELinux domain.

I feel like the only workable solution is to resort to the default logrotate service provided by Fedora/CentOS/RHEL.

2

Unfortunately SELinux config is out of scope for us, not sure I can help with that.

2 Likes
3

Hi @francislavoie

While I can respect that, SELinux is clearly partially in scope, given dist/rpm/caddy.spec at master · caddyserver/dist · GitHub .

But yeah, SELinux is a complex beast. Given that httpd_exec_t is definitely able to write to httpd_log_t log files, I’m assuming that specific operations performed by lumberjack such as remove_name are blocked nonetheless.

If Caddy isn’t able to provide a solution for this (by providing a custom SELinux policy as part of the RPM distribution perhaps), then let this forum topic serve as a searchable reference for others running into this issue.

Workaround

  1. Use roll_disabled as described in log (Caddyfile directive) — Caddy Documentation
  2. Use logrotate(8) — Arch manual pages instead.
4

Sorry I forgot to link this earlier, these debug steps might help you track down why it gets blocked, if you have time to try again:

1 Like
5

Indeed I found that thread while researching this problem.
Unfortunately that is just the starting point of the analysis, which I had already performed.

I’m not knowledgeable enough about SELinux to figure out what the exact rules in the default policies are relating to httpd_t.

But the mentioned workaround is good enough for us (for now).

I would only advise to mention this issue somewhere in the docs, if only for visibility.

6

FYI @carlwgeorge in case you have a minute to take a look

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.