为什么 /var/log/messages 中会报告 SELinux 问题？

我发现 logrotate 存在 SELinux 问题。我只是想知道为什么它被报道在/var/log/messages，而不是在/var/log/audit/audit.log。我假设任何 SELinux 问题都会记录到audit.log 中。谁能解释一下原因吗？

我在 RHEL 8 系统上遇到了这种行为。在消息中找到条目：

Nov 22 03:23:14 itsrv2489 setroubleshoot[2468163]: SELinux is preventing logrotate from read access on the directory /var/www/html/g6. For complete SELinux messages run: sealert -l 2c99b2ca-3bf0-486d-b1c3-54bc6e87105e
Nov 22 03:23:14 itsrv2489 platform-python[2468163]: SELinux is preventing logrotate from read access on the directory /var/www/html/g6.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that logrotate should be allowed read access on the g6 directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate#012# semodule -X 300 -i my-logrotate.pp#012

上面的这两行是我格式化的：

Nov 22 03:23:14 itsrv2489 setroubleshoot[2468163]: SELinux is preventing logrotate from read access on the directory /var/www/html/g6. 
For complete SELinux messages run: 
sealert -l 2c99b2ca-3bf0-486d-b1c3-54bc6e87105e

Nov 22 03:23:14 itsrv2489 platform-python[2468163]: SELinux is preventing logrotate from read access on the directory /var/www/html/g6.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that logrotate should be allowed read access on the g6 directory by default.

Then you should report this as a bug.
You can generate a local policy module to allow this access.

allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -X 300 -i my-logrotate.pp

通常我会在/var/log/audit/audit.log.

更新：最后我发现，audit.log 会自行轮换，并且由于它非常大，因此一些记录被删除。这就是为什么我在这些审核日志文件中找不到关键字“logrotate”的原因。我修改/etc/audit/auditd.conf为禁用轮换，第二天我能够在audit.log中找到“logrotate”（由cron作业触发，每天一次）。