I am getting the following security alert. If I am reading it right, logwatch is the culprit, so I am surprised. The message does tell me how to allow this activity, but again if this is logwatch, why is it not setting policy right?
SELinux is preventing mktemp from write access on the directory .esmtp_queue.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mktemp should be allowed write access on the .esmtp_queue directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp # semodule -X 300 -i my-mktemp.pp
Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mail_home_rw_t:s0 Target Objects .esmtp_queue [ dir ] Source mktemp Source Path mktemp Port <Unknown> Host lx121e.htt-consult.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-29.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name lx121e.htt-consult.com Platform Linux lx121e.htt-consult.com 4.16.11-300.fc28.x86_64 #1 SMP Tue May 22 18:29:09 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-05-28 03:17:06 EDT Last Seen 2018-05-28 03:17:06 EDT Local ID 769bacbf-0a48-48cf-8c93-27360ffcfdda
Raw Audit Messages type=AVC msg=audit(1527491826.281:568): avc: denied { write } for pid=21956 comm="mktemp" name=".esmtp_queue" dev="sda3" ino=1450925 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_home_rw_t:s0 tclass=dir permissive=0
Hash: mktemp,logwatch_t,mail_home_rw_t,dir,write
-
Robert Moskowitz