logwatch 7 breakage

Ted Rule ejtr at layer3.co.uk
Mon Dec 19 08:56:20 UTC 2005

Version 7 of logwatch includes a major restructure of its directory
layout compared to version 6.

For SELinux enforcing machines, there are 2 problems; scripts have moved
from /etc/log.d/scripts to /usr/share/logwatch/scripts, and temporary
file creation has moved to /var/cache/logwatch.

It seems that version 6 worked by dint of Cron already having sufficient
SELinux permissions to /etc and /tmp; logwatch has no domain of its own.

I've added a couple of tweaks to my local strict policy as shown below,
which seem to cover off its requirements for both Cron'ed and Manual

TE ....

# Allow Cron and Sudo invocations of logwatch to create temporary files
type logwatch_tmp_t, file_type, sysadmfile, tmpfile;
allow system_crond_t logwatch_tmp_t:file create_file_perms;
allow system_crond_t logwatch_tmp_t:dir create_dir_perms;
allow sysadm_t logwatch_tmp_t:file create_file_perms;
allow sysadm_t logwatch_tmp_t:dir create_dir_perms;

FC ....

# Executable scripts belonging to the logwatch package outside
of /usr/sbin
/usr/share/logwatch/scripts/logwatch.pl -- system_u:object_r:sbin_t

# Logwatch version 7 temporary spool area
/var/cache/logwatch(/.*)?  system_u:object_r:logwatch_tmp_t

Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/

More information about the fedora-selinux-list mailing list