Signaling daemons in logrotate configuration snippets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Some packages install logrotate configuration snippets with postrotate scripts that call:

```
kill -<signal> `cat /run/<pidfile> 2>/dev/null` 2>/dev/null || true
```

A non-comprehensive list: php-fpm, nginx, syslog-ng. The CONFIGURATION FILE section of the logrotate(8) man page includes an example of this type of construction.

https://src.fedoraproject.org/rpms/php/blob/rawhide/f/php-fpm.logrotate
https://src.fedoraproject.org/rpms/nginx/blob/rawhide/f/nginx.logrotate
https://src.fedoraproject.org/rpms/syslog-ng/blob/rawhide/f/syslog-ng.logrotate

This seems wasteful to me, as systemd *already knows* the daemon's main PID (even when there's no pidfile) and can achieve the same result with:

```
systemctl kill --signal=<signal> --kill-who=main <service> 2>/dev/null || true
```

(since systemd 252, the option has been renamed to `--kill-whom`, and `--kill-who` remains supported for compatibility)

A long time ago, I opened a bug to change this for Nginx, but at the time, SELinux policy didn't allow it, and the change was reverted.

Adjusting the SELinux policy to allow the use of `systemctl kill` in these cases would be beneficial, as the current policy (selinux-policy-targeted-41.40-1.fc42.noarch) still denies it:

type=USER_AVC msg=audit(1748111593.330:131): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/php-fpm.service" cmdline="" function="bus_unit_method_kill" scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:httpd_unit_file_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"

Does this make sense to you? Should I start filing bugs about this?
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux