logwatch 7 breakage
Ted Rule
ejtr at layer3.co.uk
Mon Dec 19 08:56:20 UTC 2005
Version 7 of logwatch includes a major restructure of its directory
layout compared to version 6.
For SELinux enforcing machines, there are 2 problems; scripts have moved
from /etc/log.d/scripts to /usr/share/logwatch/scripts, and temporary
file creation has moved to /var/cache/logwatch.
It seems that version 6 worked by dint of Cron already having sufficient
SELinux permissions to /etc and /tmp; logwatch has no domain of its own.
I've added a couple of tweaks to my local strict policy as shown below,
which seem to cover off its requirements for both Cron'ed and Manual
invocations.
TE ....
# Allow Cron and Sudo invocations of logwatch to create temporary files
type logwatch_tmp_t, file_type, sysadmfile, tmpfile;
allow system_crond_t logwatch_tmp_t:file create_file_perms;
allow system_crond_t logwatch_tmp_t:dir create_dir_perms;
allow sysadm_t logwatch_tmp_t:file create_file_perms;
allow sysadm_t logwatch_tmp_t:dir create_dir_perms;
FC ....
# Executable scripts belonging to the logwatch package outside
of /usr/sbin
/usr/share/logwatch/scripts/logwatch.pl -- system_u:object_r:sbin_t
# Logwatch version 7 temporary spool area
/var/cache/logwatch(/.*)? system_u:object_r:logwatch_tmp_t
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
More information about the fedora-selinux-list
mailing list