logrotate失效的排查---selinux开启状态拦截问题及解决方法

首先测试环境selinux 处于关闭状态 disable

# getenforce
disable

重新开启selinux配置与生产环境一致

[root@local]# cat /etc/selinux/config # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive  #重新启用要设置为宽松模式
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted [root@local]# 

重启，进入单用户模式

switch_root:/# mount -o remount,rw sysroot/
switch_root:/# chroot sysroot/
switch_root:/# 
sh-4.2# genhomedircon
sh-4.2# touch /.autorelable
sh-4.2# reboot -f

selinux再次开启后，selinux要对整个系统文件重新打标，重启时间相当长。
待标记完成后，再配置SELINUX=enforcing 保存重启。
------------------------------------------------------------------------------------------------------------

由于生产环境处于

# getenforce
permissive

从 /var/lib/logrotate/logrotate.status 文件中可知任务是执行过了，但实际日志并未切割。

也不产生任何selinux告警提示，机器也不能重启。

[root@local]# logrotate -fv /etc/logrotate.d/log
reading config file /etc/logrotate.d/log
Allocating hash table for state file, size 15360 BHandling 1 logsrotating pattern: /apps/log.logforced from command line (30 rotations)
empty log files are not rotated, old logs are removed
considering log /apps/log.loglog needs rotating
rotating log /apps/log.log, log->rotateCount is 30
dateext suffix '-20230217'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
copying /apps/log.log to /apps/log.log-20230217
set default create context to system_u:object_r:unlabeled_t:s0
truncating /apps/log.log
compressing log with: /bin/gzip
set default create context to system_u:object_r:unlabeled_t:s0
set default create context
[root@local]#

在正确配置日志切割，只有强制执行才会有动作，并且会有system_u:object_r:unlabeled_t:s0
这样selinux的动作。
同样的测试环境，selinux处于disable，logrotate 就会正常工作。

参照：
https://blog.csdn.net/zsx0728/article/details/107770152

第一方法：写入每天计划任务

crontab -e
* * */1 * *  /usr/sbin/logrotate -fv /etc/logrotate.d/log

方法二，添加size参数,多条件触发切割，解决开启selinux不执行问题

[root@vm256 apps]# cat /etc/logrotate.d/log 
/apps/log.log
{su root rootcreate 0644 root rootdailydateextcompresscopytruncatenotifemptyrotate 30missingok size 1G  #添加上大小字段，将不再受selinux影响
}
[root@vm256 apps]#