CentOS 6.4 logrotate show error permission denied

Question

I downloaded a tomcat7 tar.gz file from tomcat's official site on my CentOS 6.4 OS(Binary Distributions tar.gz , not yum). I want to use logrotate to roll my tomcat log. So I create the file /etc/logrotate.d/tomcat7 within the following content:

/usr/tomcat7/logs/catalina.out {
    copytruncate
    dateext
    compress
    missingok
    notifempty
    rotate 10
    size 50M
    postrotate
            find /usr/tomcat7/logs/ \( -name "*.log" -o -name "*.txt" \) -mtime +10 -delete
    endscript
}

I tested the role with this command logrotate /etc/logrotate.conf. Everything is OK.

But the next day I find that it not roll the tomcat log automatically.

So I have to modify the file /etc/cron.daily/logrotate to debug. I changed the line /usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1 to /usr/sbin/logrotate /etc/logrotate.conf >> /var/log/logrotate.log 2>&1.

Finally, I find the result in /var/log/logrotate.log is error: error opening /usr/tomcat7/logs/catalina.out: Permission denied

Strangely, only tomcat log receives permission denied. All the other logs but tomcat log.

Permission denied ?! why? why root permission denied?

ll -d /usr/tomcat7/logs
drwxr-xr-x. 2 root root 12288 11 30 03:14 /usr/tomcat7/logs/

ll /usr/tomcat7/logs
total 135100
-rw-r--r--. 1 root root      2241 11 29 09:07 catalina.2013-11-29.log
-rw-r--r--. 1 root root     26063 11 30 03:14 catalina.2013-11-30.log
-rw-r--r--. 1 root root 137950120 11 30 18:43 catalina.out
-rw-r--r--. 1 root root         0 11 29 09:07 host-manager.2013-11-29.log
-rw-r--r--. 1 root root         0 11 30 03:14 host-manager.2013-11-30.log
-rw-r--r--. 1 root root       477 11 29 09:07 localhost.2013-11-29.log
-rw-r--r--. 1 root root       725 11 30 03:14 localhost.2013-11-30.log
-rw-r--r--. 1 root root    284261 11 29 21:56 localhost_access_log.2013-11-29.txt
-rw-r--r--. 1 root root     45611 11 30 18:42 localhost_access_log.2013-11-30.txt
-rw-r--r--. 1 root root         0 11 29 09:07 manager.2013-11-29.log
-rw-r--r--. 1 root root         0 11 30 03:14 manager.2013-11-30.log

---

@user3069508

Many thanks! I find the file /var/log/audit/audit.log exists. Then I searched the file with key word logrotate and I find the error like this:

type=AVC msg=audit(1386185162.298:210505): avc: denied { write } for pid=740 comm="logrotate" name="catalina.out" dev=sda5 ino=48235357 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1386185162.298:210505): arch=c000003e syscall=2 success=no exit=-13 a0=1d33440 a1=2 a2=7fffff6730cf a3=746165726373662f items=0 ppid=737 pid=740 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=94 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

But I'm not goot at selinux. Could you help me how to solve this problem?

Answer 1

Don't go and disable SELinux blindly, you can restore the original security context with restorecon command:

# restorecon -v /var/lib/logrotate.status
restorecon reset /var/lib/logrotate.status context system_u:object_r:init_var_lib_t:s0->system_u:object_r:logrotate_var_lib_t:s0

Answer 2

Tomcat log files or logrotate is probably blocked by selinux.

SElinux log file location:

/var/log/avc.log
/var/log/audit/audit.log
/var/log/audit.log