[gridengine users] selinux, logrotate and grid engine files

Stuart Barkley stuartb at 4gh.net
Fri May 25 21:31:35 UTC 2018


As in other messages here recently, we have been successfully using
logrotate for various of our grid engine files for a long time.  Our
file is below for reference purposes.

We recently upgraded our qmaster system from CentOS 6 to CentOS 7. As
part of attempting gradual improvement of our security posture we are
trying to use selinux on new systems.

The good news is that we are not seeing anything impacting the running
of Grid Engine under selinux except logrotate.

The bad news is that logrotate is not successfully working with the
grid engine files (accounting, reporting and messages).

We are still looking at the specifics and think we may have a solution
using 'semanage permissive -a logrotate_t' as hinted at by:

    https://www.unix.com/man-page/centos/8/logrotate_selinux/

This appears to just disable (change to permissive) the selinux
support for logrotate.

Using 'semanage fcontext -a -t something ...' and 'restorecon -v ...'
appear to be possible but I'm unclear of the specifics since the log
files are mixed with other grid engine files in the same directory.

Has anyone else had any experience running grid engine with selinux?

We are using grid engine 8.1.8 with a couple of local patches.

Here is our /etc/logrotate.d/scl-grid-engine

==== begin ====
/opt/sge_root/*/common/accounting {
    compress
    nocreate
    dateext
    ifempty
    # keep logs "forever"
    rotate 5000
    weekly
}

/opt/sge_root/*/common/reporting {
    compress
    nocreate
    dateext
    ifempty
    # keep logs "forever"
    rotate 5000
    weekly
}

/var/spool/sge/*/qmaster/messages {
    compress
    nocreate
    dateext
    ifempty
    # keep logs "forever"
    rotate 5000
    weekly
}

# mostly useless (in long term) debugging logs
/opt/sge_root/*/common/schedd_runlog /opt/sge_root/*/common/schedule {
    nocompress
    nocreate
    missingok
    rotate 2
    daily
}
==== end ====

Stuart Barkley
-- 
I've never been lost; I was once bewildered for three days, but never lost!
                                        --  Daniel Boone



More information about the users mailing list