CentOS: SELinux prevents omsconfig & omsagent logrotate

Sudden had received notes - Permission denied - about logs of omsconfig and omsagent.

Required to fix it by:

1.

/etc/cron.daily/logrotate:

error: stat of /var/opt/microsoft/omsagent/ABC-123/log/omsagent.log failed: Permission denied

error: stat of /var/opt/microsoft/omsagent/LAD/log/omsagent.log failed: Permission denied

error: stat of /var/opt/microsoft/omsconfig/omsconfig.log failed: Permission denied

error: stat of /var/opt/microsoft/omsconfig/omsconfigdetailed.log failed: Permission denied

2. 

# semanage fcontext -a -t var_log_t "/var/opt/microsoft/omsconfig(/.*.log)?"

# restorecon -Rv /var/opt/microsoft/omsconfig

  restorecon reset /var/opt/microsoft/omsconfig context system_u:object_r:var_t:s0->system_u:object_r:var_log_t:s0

  restorecon reset /var/opt/microsoft/omsconfig/omsconfig.log context system_u:object_r:var_t:s0->system_u:object_r:var_log_t:s0

  restorecon reset /var/opt/microsoft/omsconfig/omsconfigdetailed.log context system_u:object_r:var_t:s0->system_u:object_r:var_log_t:s0

Note: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files

The semanage fcontext command is used to change the SELinux context of files. ... The setfiles utility is used when a file system is relabeled and the restorecon utility restores the default SELinux contexts. This means that changes made by semanage fcontext are persistent, even if the file system is relabeled. 

3.

error: stat of /var/opt/microsoft/omsagent/ABC-123/log/omsagent.log failed: Permission denied

error: stat of /var/opt/microsoft/omsagent/LAD/log/omsagent.log failed: Permission denied

# semanage fcontext -a -t var_log_t "/var/opt/microsoft/omsagent(/.*.log)?"

# restorecon -Rv /var/opt/microsoft/omsagent

4.

/opt/microsoft/omsconfig/etc/logrotate.conf:

/var/opt/microsoft/omsconfig/omsconfig.log {

  rotate 5

  sharedscripts

  weekly

  size 50M

  compress

}

/var/opt/microsoft/omsconfig/omsconfigdetailed.log {

  rotate 5

  sharedscripts

  size 50M

  compress

}

/var/opt/microsoft/omsagent/log/omsagent.log {

  rotate 5

  sharedscripts

  size 10M

  compress

  delaycompress

}

Note: delaycompress

gzip: stdin: file size changed while zipping

References

https://github.com/microsoft/OMS-Agent-for-Linux/issues/781

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux-troubleshoot

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files

Update