Problem

By default cronolog (cronolog-1.6.2-1) will not work under selinux. You’ll see audit errors in /var/log/messages that say :

kernel: audit(1142674513.482:5): avc:  denied  \{ create \} for  pid=5135 comm="cronolog" name="2006" scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=dir

and

kernel: audit(1142723548.453:3): avc:  denied  \{ create \} for  pid=3164 comm="cronolog" name="access.log" scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:httpd_log_t tclass=lnk_file

This is cronolog trying to create a new year folder and a new symbolic link to your most current access log. These two functions are done when cronolog is given the –symlink paramter and told to order rolled over logs in year by year folders. Here’s more about cronolog usage.

Solution

This solution is for Red Hat Enterprise Linux 4 (RHEL4) though it should apply for other selinux enabled OS’s. First make sure that the directory that the logs are being written to, or more specifically the directory in which cronolog is trying to create a symbolic link or a year directory, also known to selinux as the target directory, has a target security context of “httpd_log_t”. You can verify this by doing a :

ls -aZ /your/log/dir

and confirming that the security context is correct. You should see something like this :

drwxr-xr-x  root     root     root:object_r:httpd_log_t        .
drwx------  root     root     system_u:object_r:httpd_log_t    ..
drwxr-xr-x  root     root     root:object_r:httpd_log_t        2003
drwxr-xr-x  root     root     root:object_r:httpd_log_t        2004
drwxr-xr-x  root     root     root:object_r:httpd_log_t        2005
drwxr-xr-x  root     root     root:object_r:httpd_log_t        2006

If the security context is not correct, use the “chcon” command to set it.

Once you’ve confirmed that the target directory has a security context of httpd_log_t, all you have to do is create a custom policy.

You can read about how to do this here. Here are the steps

  • Install the selinux-policy-targeted-sources rpm
    up2date -i selinux-policy-targeted-sources
    
  • Stop apache
    service httpd stop
    
  • Create a new local custom security policy (Here I’m using nano, you can use whatever editor you want vi/emacs/etc)
    nano /etc/selinux/targeted/src/policy/domains/misc/local.te
    
  • Add in the following text to local.te
    allow httpd_t httpd_log_t:dir create;
    allow httpd_t httpd_log_t:lnk_file create;
    
  • Save the file
  • Compile the new policy
    cd /etc/selinux/targeted/src/policy
    make load
    
  • Start apache
    service httpd start
    

At this point check your /var/log/messages and your log directory and you should see no more selinux audit messages and that cronolog has created it’s directories and symbolic links.