Ted Rule wrote:
Version 7 of logwatch includes a major restructure of its directory layout compared to version 6. For SELinux enforcing machines, there are 2 problems; scripts have moved from /etc/log.d/scripts to /usr/share/logwatch/scripts, and temporary file creation has moved to /var/cache/logwatch. It seems that version 6 worked by dint of Cron already having sufficient SELinux permissions to /etc and /tmp; logwatch has no domain of its own. I've added a couple of tweaks to my local strict policy as shown below, which seem to cover off its requirements for both Cron'ed and Manual invocations. TE .... # Allow Cron and Sudo invocations of logwatch to create temporary files type logwatch_tmp_t, file_type, sysadmfile, tmpfile; allow system_crond_t logwatch_tmp_t:file create_file_perms; allow system_crond_t logwatch_tmp_t:dir create_dir_perms; allow sysadm_t logwatch_tmp_t:file create_file_perms; allow sysadm_t logwatch_tmp_t:dir create_dir_perms; FC .... # Executable scripts belonging to the logwatch package outside of /usr/sbin /usr/share/logwatch/scripts/logwatch.pl -- system_u:object_r:sbin_t # Logwatch version 7 temporary spool area /var/cache/logwatch(/.*)? system_u:object_r:logwatch_tmp_t
Added logwatch policy which should handle this. -- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
