We have a system where Chef has deployed a monitoring agent, AppDynamics, as a specific user - lets call that user sysXYZ for the sake of this post. The AppDynamics agents create a daily log file, all with sysXYZ user ownership.
Tomcat, also being run as sysXYZ user, hosts the application that is being monitored by the AppDynamics agent. Every day, the Tomcat instance is restarted (project has their reasons) and the start-up process includes a step for renaming yesterdays AppDynamics logs. However, this is prevented as a permissions issue. Tomcat running as user sysXYZ cannot amend files owned by user sysXYZ but created by something that is not Tomcat.
I get thet SELinux is meant to prevent unexpected access - say a malicious actor has been introduced - and I am fine with that concept. What can we do here to allow the Tomcat instance to rename the files appropriately each time it is restarted?
The correct and hard way is to amend the SELinux boolean on Tomcat directories to allow Tomcat amend files created by other users. Read here.
The easy and dirty solution is to start-up process includes a step for renaming yesterdays AppDynamics logs as user sysXYZ . And that way you avoid the problem.
Use su - sysXYZ <script> command or sudo -iu sysXYZ <script> command or sudo -t <Tomcat role> <script>
Good luck.