Logrotate running according to cron, but logs are not rotated

Question

I run logrotate through cron with the script

[alex@leia ~]$ cat /etc/cron.daily/logrotate
#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf >/dev/null
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

which, according to the syslog, should work:

Dec 14 03:21:01 leia run-parts(/etc/cron.daily)[3041]: starting logrotate
Dec 14 03:21:01 leia run-parts(/etc/cron.daily)[3063]: finished logrotate

I expect this to also run the following directive:

[alex@leia ~]$ cat /etc/logrotate.d/www-data_uwsgi_nginx
/home/www-data/*/logs/*/*log {
    rotate 5
    size 20M
    nocompress
    missingok
    postrotate
        touch /tmp/uwsgi-reload
        [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
    endscript
    sharedscripts
}

But! It does not rotate the logs under /home/www-data. Other logs get rotated. If I run logrotate manually with

[alex@leia ~]$ sudo logrotate /etc/logrotate.conf

it does rotate the logs in question.

I saw the related question where the problem was with SELinux, and attempted that solution but it did not help in my case.

---

Edit: On request, the contents of /etc/logrotate.conf:

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

Answer 1

I asked for help in #centos, and it appears SELinux was the problem. According to aureport -a SELinux denied the process running under the logrotate_t context access to files in the home directory, which had the user_home_t label – not really a big surprise once you know how SELinux works!

I decided to just relabel the directories for the log files (the trailing .* makes the modification recursive):

# semanage fcontext -a -t var_log_t "/home/www-data/.*/logs/.*"
# restorecon -r /home/www-data/*/logs

I picked the var_log_t label because it sorta-kinda makes sense and it happens to be one I know should work. I'd like to use a label that makes more sense but I don't know how to list working ones. It might be possible to create a new policy but that seemed overkill for my purposes.

I'll have to wait a couple of days and then see if it has worked, but I suspect it will!

Edit: it worked like a charm! I'm so happy now.