The Issue
When running multiple httpd instances on a single host (i.e. as suggested by this post) that has SELinux enabled and in enforcing mode, using a single logrotate configuration for log rotation may fail when a postrotate script similar to the following is used:
postrotate
/bin/systemctl reload httpd*.service > /dev/null 2>/dev/null || true
endscript
The “
type=USER_AVC msg=audit(1523410562.012:837): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 cmdline="/bin/systemctl reload httpd*.service" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
The Solution
The issue can be resolved by sending the USR1 signal to the main httpd processes. This will trigger a graceful restart of the httpd child processes, reload of the configuration and log files reopening.
We can get the PIDs of the main processes by reading the PID files of the individual httpd instances as configured in their respective httpd.conf configuration files.
In the following example all of the httpd.conf configuration files of all instances were matching the /etc/httpd/conf/httpd*.conf pattern and the PID files were all matching /var/run/httpd*.pid:
# grep PidFile /etc/httpd/conf/httpd*.conf /etc/httpd/conf/httpd1.conf:PidFile "/var/run/httpd1.pid" /etc/httpd/conf/httpd2.conf:PidFile "/var/run/httpd2.pid" /etc/httpd/conf/httpd3.conf:PidFile "/var/run/httpd3.pid"
Then a script, similar to the following, can be used in the postrotate section of your /etc/logrotate.d/httpd configuration file:
# vi /etc/logrotate.d/httpd
postrotate
for pidfile in $(ls -1 /var/run/httpd*.pid); do
PID=$(cat "$pidfile")
if grep -qa "/usr/sbin/httpd" /proc/$PID/cmdline; then
kill -USR1 $PID
fi
done || true
endscript