logwatch 7 breakage
Daniel J Walsh
dwalsh at redhat.com
Fri Dec 30 16:20:24 UTC 2005
Ted Rule wrote:
> Version 7 of logwatch includes a major restructure of its directory
> layout compared to version 6.
>
> For SELinux enforcing machines, there are 2 problems; scripts have moved
> from /etc/log.d/scripts to /usr/share/logwatch/scripts, and temporary
> file creation has moved to /var/cache/logwatch.
>
> It seems that version 6 worked by dint of Cron already having sufficient
> SELinux permissions to /etc and /tmp; logwatch has no domain of its own.
>
> I've added a couple of tweaks to my local strict policy as shown below,
> which seem to cover off its requirements for both Cron'ed and Manual
> invocations.
>
>
> TE ....
>
> # Allow Cron and Sudo invocations of logwatch to create temporary files
> type logwatch_tmp_t, file_type, sysadmfile, tmpfile;
> allow system_crond_t logwatch_tmp_t:file create_file_perms;
> allow system_crond_t logwatch_tmp_t:dir create_dir_perms;
> allow sysadm_t logwatch_tmp_t:file create_file_perms;
> allow sysadm_t logwatch_tmp_t:dir create_dir_perms;
>
> FC ....
>
> # Executable scripts belonging to the logwatch package outside
> of /usr/sbin
> /usr/share/logwatch/scripts/logwatch.pl -- system_u:object_r:sbin_t
>
> # Logwatch version 7 temporary spool area
> /var/cache/logwatch(/.*)? system_u:object_r:logwatch_tmp_t
>
>
>
>
Added logwatch policy which should handle this.
--
More information about the selinux
mailing list