Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

RHELPRIO AssignedTeam ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: rhel-10.0
Component/s: dnf
Labels:
None

Severity:
Low
Epic Link:
SWM-7243

AssignedTeam:
rhel-swm

Story Points:
0
Target Version:

rhel-10.2
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Acceptance Criteria:

Hide

/var/log/dnf.log and other log files maintained by dnf program preserves POSIX ACL (getfacl /var/log/dnf.log) on rotating them.

Show
/var/log/dnf.log and other log files maintained by dnf program preserves POSIX ACL (getfacl /var/log/dnf.log) on rotating them.
Git Pull Request:
https://github.com/rpm-software-management/dnf/pull/2284, https://github.com/rpm-software-management/ci-dnf-stack/pull/1787
Preliminary Testing:
None
Test Coverage:

New Test Coverage

Release Note Type:
Feature
Release Note Text:

Hide
Feature, enhancement: DNF preserves POSIX ALC on rotating /var/log/dnf.log file.
Reason: If a superuser sets ACL on that log, e.g. to get a read permission to particular users, it is desired that the permission survive rotating the log.
Result: DNF was enhanced to copy POSIX ACL from the current log files to new new, empty ones.

Show
Feature, enhancement: DNF preserves POSIX ALC on rotating /var/log/dnf.log file. Reason: If a superuser sets ACL on that log, e.g. to get a read permission to particular users, it is desired that the permission survive rotating the log. Result: DNF was enhanced to copy POSIX ACL from the current log files to new new, empty ones.
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

x86_64

PX Impact Score:
PX Technical Impact:
PX Impact Range:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

I am trying to set acl for a user on file /var/log/dnf.log. As the logrotation of dnf.log is managed by /etc/dnf/dnf.conf and there is no option to preserve the acl for dnf.log in /etc/dnf/dnf.conf.

//Test :

1. Added acl to dnf.log:

setfacl -Rm u:cribl:r-x,g:cribl:r-x /var/log/dnf.log
[root@localhost ~]# getfacl /var/log/dnf.log
getfacl: Removing leading '/' from absolute path names
file: var/log/dnf.log
owner: root
group: root
user::rw-
user:cribl:r-x
group::r--
group:cribl:r-x
mask::r-x
other::r--

2. Installed a package to generate dnf logs, so that the file will be rotated.

3. File got rotated:

ll /var/log/ | grep dnf
~~rw-r~~r-. 1 root root 2440 Oct 16 05:37 dnf.librepo.log
~~rw-r~~r-. 1 root root 44211 Oct 16 05:09 dnf.librepo.log.1
~~rw-r-xr. 1 root root 4023 Oct 16 05:38 dnf.log <~~--- New file do not have acl.
~~rw-r-xr~~-+ 1 root root 10206 Oct 16 05:37 dnf.log.1
~~rw-r~~r-. 1 root root 122610 Oct 16 05:09 dnf.log.2
~~rw-r~~r-. 1 root root 5030 Oct 16 05:37 dnf.rpm.log

3. Stopped logrotation in dnf.conf file:

[root@localhost ~]# cat /etc/dnf/dnf.conf
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
log_rotate=0
log_size=0

4. Added logrotation configuration:

cat /etc/logrotate.d/dnf
/var/log/hawkey.log
/var/log/dnf.log { missingok notifempty rotate 4 weekly create }

4. Again set acl:

[root@localhost ~]# setfacl -Rm u:cribl:r-x,g:cribl:r-x /var/log/dnf.log
[root@localhost ~]# getfacl /var/log/dnf.log
getfacl: Removing leading '/' from absolute path names

file: var/log/dnf.log
owner: root
group: root
user::rw-
user:cribl:r-x
group::r-x
group:cribl:r-x
mask::r-x
other::r--

5. Logrotate forcefully:

logrotate ~~f /etc/logrotate.d/dnf <~~--Logrotate forcefully

ll /var/log/ | grep dnf
~~rw-r~~r-. 1 root root 2440 Oct 16 05:37 dnf.librepo.log
~~rw-r~~r-. 1 root root 44211 Oct 16 05:09 dnf.librepo.log.1
~~rw-r-xr+ 1 root root 0 Oct 16 05:41 dnf.log <~~---New generated file after rotation have acl
~~rw-r-xr~~-+ 1 root root 4023 Oct 16 05:38 dnf.log.1
~~rw-r-xr~~-+ 1 root root 10206 Oct 16 05:37 dnf.log.2
~~rw-r~~r-. 1 root root 122610 Oct 16 05:09 dnf.log.3
~~rw-r~~r-. 1 root root 5030 Oct 16 05:37 dnf.rpm.log

getfacl /var/log/dnf.log
getfacl: Removing leading '/' from absolute path names
file: var/log/dnf.log
owner: root
group: root
user::rw-
user:cribl:r-x
group::r-x
group:cribl:r-x
mask::r-x
other::r--

What is the impact of this issue to you?
Customer need to give read and execute permission for cribl user to all files under /var/log/ to make cribl compliant.

Please provide the package NVR for which the bug is seen:

dnf-data-4.7.0-20.el8.noarch

How reproducible is this bug?:

It is reproducible.

clones

RHEL-122013 [RHEL 9] Preserve acl of file /var/log/dnf.log across logrotation

Planning

links to

KCS - DNF log rotation is handled in different places

Upstream RFE

Assignee:: Petr Pisar

Reporter:: Pragati Hatkamkar

Developer:: packaging-team-maint

QA Contact:: Software Management QE

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/10/23 3:33 PM

Updated:: 2025/11/24 2:56 PM

Stale Date:: 2026/10/22

Details

Description

What were you trying to do that didn't work?

//Test :

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates