1logwatch_selinux(8) SELinux Policy logwatch logwatch_selinux(8)
2
3
4
6 logwatch_selinux - Security Enhanced Linux Policy for the logwatch pro‐
7 cesses
8
10 Security-Enhanced Linux secures the logwatch processes via flexible
11 mandatory access control.
12
13 The logwatch processes execute with the logwatch_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep logwatch_t
20
21
22
24 The logwatch_t SELinux type can be entered via the logwatch_exec_t file
25 type.
26
27 The default entrypoint paths for the logwatch_t domain are the follow‐
28 ing:
29
30 /usr/sbin/epylog, /usr/sbin/logcheck, /usr/sbin/logwatch.pl,
31 /usr/share/logwatch/scripts/logwatch.pl
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 logwatch policy is very flexible allowing users to setup their logwatch
41 processes in as secure a method as possible.
42
43 The following process types are defined for logwatch:
44
45 logwatch_t, logwatch_mail_t
46
47 Note: semanage permissive -a logwatch_t can be used to make the process
48 type logwatch_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
52
54 SELinux policy is customizable based on least access required. log‐
55 watch policy is extremely flexible and has several booleans that allow
56 you to manipulate the policy and run logwatch with the tightest access
57 possible.
58
59
60
61 If you want to determine whether logwatch can connect to mail over the
62 network, you must turn on the logwatch_can_network_connect_mail bool‐
63 ean. Disabled by default.
64
65 setsebool -P logwatch_can_network_connect_mail 1
66
67
68
69 If you want to allow all domains to execute in fips_mode, you must turn
70 on the fips_mode boolean. Enabled by default.
71
72 setsebool -P fips_mode 1
73
74
75
76 If you want to allow system to run with NIS, you must turn on the
77 nis_enabled boolean. Disabled by default.
78
79 setsebool -P nis_enabled 1
80
81
82
83 If you want to support NFS home directories, you must turn on the
84 use_nfs_home_dirs boolean. Enabled by default.
85
86 setsebool -P use_nfs_home_dirs 1
87
88
89
90 If you want to support SAMBA home directories, you must turn on the
91 use_samba_home_dirs boolean. Disabled by default.
92
93 setsebool -P use_samba_home_dirs 1
94
95
96
98 The SELinux process type logwatch_t can manage files labeled with the
99 following file types. The paths listed are the default paths for these
100 file types. Note the processes UID still need to have DAC permissions.
101
102 cluster_conf_t
103
104 /etc/cluster(/.*)?
105
106 cluster_var_lib_t
107
108 /var/lib/pcsd(/.*)?
109 /var/lib/cluster(/.*)?
110 /var/lib/openais(/.*)?
111 /var/lib/pengine(/.*)?
112 /var/lib/corosync(/.*)?
113 /usr/lib/heartbeat(/.*)?
114 /var/lib/heartbeat(/.*)?
115 /var/lib/pacemaker(/.*)?
116
117 cluster_var_run_t
118
119 /var/run/crm(/.*)?
120 /var/run/cman_.*
121 /var/run/rsctmp(/.*)?
122 /var/run/aisexec.*
123 /var/run/heartbeat(/.*)?
124 /var/run/corosync-qnetd(/.*)?
125 /var/run/corosync-qdevice(/.*)?
126 /var/run/corosync.pid
127 /var/run/cpglockd.pid
128 /var/run/rgmanager.pid
129 /var/run/cluster/rgmanager.sk
130
131 logwatch_cache_t
132
133 /var/lib/epylog(/.*)?
134 /var/lib/logcheck(/.*)?
135 /var/cache/logwatch(/.*)?
136
137 logwatch_lock_t
138
139 /var/lock/logcheck.*
140
141 logwatch_var_run_t
142
143 /var/run/epylog.pid
144
145 root_t
146
147 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
148 /
149 /initrd
150
151
153 SELinux requires files to have an extended attribute to define the file
154 type.
155
156 You can see the context of a file using the -Z option to ls
157
158 Policy governs the access confined processes have to these files.
159 SELinux logwatch policy is very flexible allowing users to setup their
160 logwatch processes in as secure a method as possible.
161
162 STANDARD FILE CONTEXT
163
164 SELinux defines the file context types for the logwatch, if you wanted
165 to store files with these types in a diffent paths, you need to execute
166 the semanage command to sepecify alternate labeling and then use
167 restorecon to put the labels on disk.
168
169 semanage fcontext -a -t logwatch_mail_tmp_t '/srv/mylogwatch_con‐
170 tent(/.*)?'
171 restorecon -R -v /srv/mylogwatch_content
172
173 Note: SELinux often uses regular expressions to specify labels that
174 match multiple files.
175
176 The following file types are defined for logwatch:
177
178
179
180 logwatch_cache_t
181
182 - Set files with the logwatch_cache_t type, if you want to store the
183 files under the /var/cache directory.
184
185
186 Paths:
187 /var/lib/epylog(/.*)?, /var/lib/logcheck(/.*)?, /var/cache/log‐
188 watch(/.*)?
189
190
191 logwatch_exec_t
192
193 - Set files with the logwatch_exec_t type, if you want to transition an
194 executable to the logwatch_t domain.
195
196
197 Paths:
198 /usr/sbin/epylog, /usr/sbin/logcheck, /usr/sbin/logwatch.pl,
199 /usr/share/logwatch/scripts/logwatch.pl
200
201
202 logwatch_lock_t
203
204 - Set files with the logwatch_lock_t type, if you want to treat the
205 files as logwatch lock data, stored under the /var/lock directory
206
207
208
209 logwatch_mail_tmp_t
210
211 - Set files with the logwatch_mail_tmp_t type, if you want to store
212 logwatch mail temporary files in the /tmp directories.
213
214
215
216 logwatch_tmp_t
217
218 - Set files with the logwatch_tmp_t type, if you want to store logwatch
219 temporary files in the /tmp directories.
220
221
222
223 logwatch_var_run_t
224
225 - Set files with the logwatch_var_run_t type, if you want to store the
226 logwatch files under the /run or /var/run directory.
227
228
229
230 Note: File context can be temporarily modified with the chcon command.
231 If you want to permanently change the file context you need to use the
232 semanage fcontext command. This will modify the SELinux labeling data‐
233 base. You will need to use restorecon to apply the labels.
234
235
237 semanage fcontext can also be used to manipulate default file context
238 mappings.
239
240 semanage permissive can also be used to manipulate whether or not a
241 process type is permissive.
242
243 semanage module can also be used to enable/disable/install/remove pol‐
244 icy modules.
245
246 semanage boolean can also be used to manipulate the booleans
247
248
249 system-config-selinux is a GUI tool available to customize SELinux pol‐
250 icy settings.
251
252
254 This manual page was auto-generated using sepolicy manpage .
255
256
258 selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1), sepol‐
259 icy(8), setsebool(8), logwatch_mail_selinux(8), log‐
260 watch_mail_selinux(8)
261
262
263
264logwatch 21-03-26 logwatch_selinux(8)