Resolving "Permission Denied" Errors for aella_flow.pid (missing or bad snippet)

Linux Server Sensors installed in KVM-based environments with SELinux set to enforcing may encounter a recurring issue where logrotate.service is unable to restart the aella_flow service after rotating logs.

Symptoms of the Issue

You can tell that this issue is affecting your environment when logrotate.service exits with failure and the following error logged in both the messages and systemd logs:

daemon_unix|warn|/var/run/aella/aella_flow.pid: open: permission denied

This can happen because of a permissions error when logrotate attempts to interact with /var/run/aella/aella_flow.pid.

Workaround for "Permission Denied" Errors

As a workaround for this issue, you must create and apply a policy file that grants permission in SELinux to both the lograte process and its child processes to access the following files:

  • /run/aella/aella_flow.pid

  • /run/aella/aella_flow.<PID>.ctl

The following procedure explains how to do this:

  1. Start by saving the following text as an enforcement file named aella_appctl.te:

    Copy 
    module aella_appctl 1.0;
    require {
        type var_run_t;
        type logrotate_t;
        type unconfined_service_t;
        class file write;
        class sock_file write;
        class unix_stream_socket connectto;
    }

    #============= logrotate_t ==============

    allow logrotate_t unconfined_service_t:unix_stream_socket connectto;

    #!!!! This avc is allowed in the current policy

    allow logrotate_t var_run_t:file write;

    #!!!! This avc is allowed in the current policy

    allow logrotate_t var_run_t:sock_file write;

  2. Compile the aella_appctl.te enforcement file into a module file named aella_appctl.mod with the following command:

    checkmodule -M -m -o aella_appctl.mod aella_appctl.te

  3. Create a policy file named aella_appctl.pp from the aella_appctl.mod module file with the following command:

    semodule_package -o aella_appctl.pp -m aella_appctl.mod

  4. Install the policy file in SELinux with the following command:

    semodule -i aella_appctl.pp

Uninstalling the Policy File

If you uninstall the Linux Server Sensor, you can remove the workaround policy created in this section from the host with the following command:

semodule -r aella_appctl