When looking at other issues, I noticed that rabbitmq is hitting a selinux denial in logrotate.
/etc/cron.daily/logrotate: 04:02:03.270 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:04.025 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:04.026 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:04.773 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:04.774 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:05.532 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:05.533 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:06.278 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:06.279 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:07.035 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:07.036 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:07.796 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:07.797 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:08.551 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:08.552 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:09.325 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:09.326 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:10.076 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:10.076 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces 04:02:10.847 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces Distribution failed: {{:shutdown, {:failed_to_start_child, :auth, {'Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces', [{:auth, :init_cookie, 0, [file: 'auth.erl', line: 286]}, {:auth, :init, 1, [file: 'auth.erl', line: 140]}, {:gen_server, :init_it, 2, [file: 'gen_server.erl', line: 374]}, {:gen_server, :init_it, 6, [file: 'gen_server.erl', line: 342]}, {:proc_lib, :init_p_do_apply, 3, [file: 'proc_lib.erl', line: 249]}]}}}, {:child, :undefined, :net_sup_dynamic, {:erl_distribution, :start_link, [[:"rabbitmqcli-1262520-rabbit@rabbitmq01.stg.iad2.fedoraproject.org", :longnames, 15000], false]}, :permanent, 1000, :supervisor, [:erl_distribution]}} error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
type=AVC msg=audit(1725163332.122:204307): avc: denied { read } for pid=2389725 comm="5_dirty_io_sche" name=".erlang.cookie" dev="dm-0" ino=33814614 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file permissive=0
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
How we can achieve this task ? by adding task in rabbitMQ ansible role to set logrotate rule on SELINUX ?
semanage fcontext -a -t var_log_t /var/log/rabbitmq(/.*)?
@seddik That sounds like a good solution.
PR : https://pagure.io/fedora-infra/ansible/pull-request/2264
I don't see any more errors when trying to run logrotate script on rabbitmq01 and nothing in /var/log/audit/audit.log as well.
logrotate
rabbitmq01
/var/log/audit/audit.log
I can confirm that this issue is now fixed.
Metadata Update from @zlopez: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.