logrotate cron job not rotating certain logs

Question

I added two scripts in "logrotate.d" directory for my application logs to be rotated. This is the config for one of them:

<myLogFilePath> {
  compress
  copytruncate
  delaycompress
  dateext
  missingok
  notifempty
  daily
  rotate 30
}

There is a "logrotate" script in "cron.daily" directory (which seems to be running daily as per cron logs):

#!/bin/sh

echo "logrotate_test" >>/tmp/logrotate_test
#/usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
/usr/sbin/logrotate -v /etc/logrotate.conf &>>/root/logrotate_error

EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

The first echo statement is working.
But I find my application logs alone are not getting rotated, whereas other logs like httpd are getting rotated **
**And I also don't see any output in the mentioned "logrotate_error" file (has write permission for all users).

However the syslog says: "logrotate: ALERT exited abnormally with [1]"

But when I run the same "logrotate" in "cron.daily" script manually, everything seems working fine.

Why is it not rotating during daily cron schedule? Am I doing something wrong here?
It would be great if I get this much needed help.

UPDATED: It looks like, it's because of selinux - the log files in my user home directory has restrictions imposed by selinux and the when logrotate script is run:

SELinux is preventing /usr/sbin/logrotate from getattr access on the file /home/user/logs/application.log

Answer 1

SELinux was restricting the access to logrotate on log files in directories which does not have the required SELinux file context type. "/var/log" directory has "var_log_t" file context, and logrotate was able to do the needful. So the solution was to set this on my application log files and it's parent directory:

semanage fcontext -a -t var_log_t <directory/logfile>
restorecon -v <directory/logfile>

Answer 2

I had a similar problem. To resolve this, I first checked the status of SELinux using the sestatus command:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Then, check the SELinux security context applied to files and directories using ls --scontext. Check the files you want logrotate to operate on, and check files that are working, such as /var/log/maillog:

# ls --scontext /var/log/maillog*
system_u:object_r:var_log_t:s0   /var/log/maillog
system_u:object_r:var_log_t:s0   /var/log/maillog-20140713
system_u:object_r:var_log_t:s0   /var/log/maillog-20140720
system_u:object_r:var_log_t:s0   /var/log/maillog-20140727
system_u:object_r:var_log_t:s0   /var/log/maillog-20140803

Use semanage to change the file context.

semanage fcontext -a -t var_log_t <directory/logfile>
restorecon -v <directory/logfile>

Answer 3

Just to generalize the above and make sure same SELinux context is properly set for all future files:

semanage fcontext -a -t var_log_t "<directory>(/.*)?"
restorecon -v <directory>

Answer 4

SELinux is preventing /usr/sbin/logrotate from read access on the directory sites.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that logrotate should be allowed read access on the sites directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Answer 5

I've recently encountered a similar SELinux-related issue with logrotate not operating on files as expected, which occurred when the logs to be rotated were on an NFS share.

In this case setting the logrotate_use_nfs seboolean seemed to fix the problem, e.g.

$ setsebool logrotate_use_nfs 1
$ getsebool logrotate_use_nfs
logrotate_use_nfs --> on

Answer 6

I have seen this issue with SELINUX disabled and this was because the parent directory of log file being rotated has global write-permission which is not welcomed by logrotate

error: skipping "/xxx/yyy/log/logfile.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

chmod the parent directory to 755 solved the issue

# logrotate --version
logrotate 3.8.6