Ted Rule wrote:
Version 7 of logwatch includes a major restructure of its directory
layout compared to version 6.
For SELinux enforcing machines, there are 2 problems; scripts have moved
from /etc/log.d/scripts to /usr/share/logwatch/scripts, and temporary
file creation has moved to /var/cache/logwatch.
It seems that version 6 worked by dint of Cron already having sufficient
SELinux permissions to /etc and /tmp; logwatch has no domain of its own.
I've added a couple of tweaks to my local strict policy as shown below,
which seem to cover off its requirements for both Cron'ed and Manual
# Allow Cron and Sudo invocations of logwatch to create temporary files
type logwatch_tmp_t, file_type, sysadmfile, tmpfile;
allow system_crond_t logwatch_tmp_t:file create_file_perms;
allow system_crond_t logwatch_tmp_t:dir create_dir_perms;
allow sysadm_t logwatch_tmp_t:file create_file_perms;
allow sysadm_t logwatch_tmp_t:dir create_dir_perms;
# Executable scripts belonging to the logwatch package outside
/usr/share/logwatch/scripts/logwatch.pl -- system_u:object_r:sbin_t
# Logwatch version 7 temporary spool area
Added logwatch policy which should handle this.