Nginx – SELinux – logrotate is not rotating NGINX logs

I am using CentOS, NGINX and Passenger to serve a Rails application.
I have SELinux activated, and have had a series of problems with logrotate.
I have been able to resolve most of the issues by following various advice online.
Unfortunately, logrotate is not successfully rotating my NGINX logfiles.
NGINX is installed in /opt/nginx

This is my logrotate config file:

/opt/nginx/logs/*log {
daily
rotate 30
missingok
notifempty
sharedscripts
delaycompress
postrotate
[ ! -f /opt/nginx/logs/nginx.pid ] || kill -USR1 `cat /opt/nginx/logs/nginx.pid`
endscript
}

These are the messages I am receiving in /var/log/messages

Mar  9 03:49:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/logrotate from rename access on the file logrotate_temp.RTg4y3. For complete SELinux messages. run sealert -l 8c5238cd-3e95-4af6-b150-498080c862b8
Mar  9 03:49:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/logrotate from rename access on the file logrotate_temp.OjvGsG. For complete SELinux messages. run sealert -l 8c5238cd-3e95-4af6-b150-498080c862b8
Mar 10 03:55:46 localhost logrotate: ALERT exited abnormally with [1]

I have tried using sealert to update the policies as the messages recommend, however this does not resolve the issue (I suspect that this maybe because the temp files always have different names).

Can anyone suggest how I can resolve this so the logfiles get successfully rotated.

— EDIT —
added output of

sudo sealert -l 8c5238cd-3e95-4af6-b150-498080c862b8

SELinux is preventing /usr/sbin/logrotate from rename access on the file logrotate_temp.NuwGkX.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that logrotate should be allowed rename access on the logrotate_temp.NuwGkX file by  default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Best Answer

I found that the problem lay with a couple of the older (rotated) log files.

running ls --scontext in the directory where the log lives showed that 2 of the rotated logs did not have the var_log_t context.

I fixed this by deleting these particular files (they were several months old).

On the next scheduled run, the logs rotated correctly.

Best Answer

Related Solutions

Nginx, logrotate and empty files

Logrotate not rotating the logs

Related Topic