Solved: Cisco Unity syslog error

Michalis Papasavva · ‎03-15-2024

Hi,

We received on syslog server the below error message from unity subscriber. Anyone know what may cause the below message?

“SELinux is preventing /usr/sbin/logrotate from add_name access on the directory /var/log/active/tomcat/logs/localhost_access_log.txt.1”

Michalis Papasavva · ‎03-28-2024

Hi,

I received the below answer from TAC

Based on error we know is that Unity connection or any other Cisco collaboration application is set in enforce mode by default (on the OS level).
In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labelling objects and emitting access denial entries in the logs, but it does not actually deny any operations.
If the server is in permissive mode, there is no security breach, and it will not impact your unity connection as an application.
So again, nothing to do with the cisco products or application..
SELinux can run in one of three modes: disabled, permissive, or enforcing:

Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labelling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development.
Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labelling any persistent objects such as files, making it difficult to enable SELinux in the future

In general, those messages can be ignore and will not have any impact on Cisco Unity.

Michalis Papasavva · ‎03-28-2024

Hi,

I received the below answer from TAC

Based on error we know is that Unity connection or any other Cisco collaboration application is set in enforce mode by default (on the OS level).
In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labelling objects and emitting access denial entries in the logs, but it does not actually deny any operations.
If the server is in permissive mode, there is no security breach, and it will not impact your unity connection as an application.
So again, nothing to do with the cisco products or application..
SELinux can run in one of three modes: disabled, permissive, or enforcing:

Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system.
Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labelling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development.
Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labelling any persistent objects such as files, making it difficult to enable SELinux in the future

In general, those messages can be ignore and will not have any impact on Cisco Unity.