As in other messages here recently, we have been successfully using
logrotate for various of our grid engine files for a long time. Our
file is below for reference purposes.
We recently upgraded our qmaster system from CentOS 6 to CentOS 7. As
part of attempting gradual improvement of our security posture we are
trying to use selinux on new systems.
The good news is that we are not seeing anything impacting the running
of Grid Engine under selinux except logrotate.
The bad news is that logrotate is not successfully working with the
grid engine files (accounting, reporting and messages).
We are still looking at the specifics and think we may have a solution
using 'semanage permissive -a logrotate_t' as hinted at by:
https://www.unix.com/man-page/centos/8/logrotate_selinux/
This appears to just disable (change to permissive) the selinux
support for logrotate.
Using 'semanage fcontext -a -t something ...' and 'restorecon -v ...'
appear to be possible but I'm unclear of the specifics since the log
files are mixed with other grid engine files in the same directory.
Has anyone else had any experience running grid engine with selinux?
We are using grid engine 8.1.8 with a couple of local patches.
Here is our /etc/logrotate.d/scl-grid-engine
==== begin ====
/opt/sge_root/*/common/accounting {
compress
nocreate
dateext
ifempty
# keep logs "forever"
rotate 5000
weekly
}
/opt/sge_root/*/common/reporting {
compress
nocreate
dateext
ifempty
# keep logs "forever"
rotate 5000
weekly
}
/var/spool/sge/*/qmaster/messages {
compress
nocreate
dateext
ifempty
# keep logs "forever"
rotate 5000
weekly
}
# mostly useless (in long term) debugging logs
/opt/sge_root/*/common/schedd_runlog /opt/sge_root/*/common/schedule {
nocompress
nocreate
missingok
rotate 2
daily
}
==== end ====
Stuart Barkley
--
I've never been lost; I was once bewildered for three days, but never lost!
-- Daniel Boone
_______________________________________________
users mailing list
users@gridengine.org
https://gridengine.org/mailman/listinfo/users
