Logwatch run from cron.daily: permissions incompatibility with opensmtpd?

I have recently migrated to using lightweight opensmtpd on one of my boxes, which is configured to forward to another machine running postfix.

This appears to work great… except that logwatch, when run through cron, is unable to send email. Cron sends me an email (ironically through opensmtpd) with the following content:

/etc/cron.daily/0logwatch:

sendmail: cannot create temporary file /var/spool/smtpd/offline/1739521622.XXXXKYbyxk: Permission denied

When I run logwatch directly as root, it works fine – the email is sent as expected.

My understanding was that anacron was running the scripts in cron.daily as root, so I’m not sure what is going on here. Is this another systemd hardening thing? Selinux does not appear to be the issue, the permissions on /var/spool/smtpd/offline appear to be correct (matching the RPM), and the permissions on /usr/sbin/smtpctl are also fine.

Add some code to the script to log details of the process like the ID it is running as. Check it is indeed root.

Executing anacron -d -s -n -f cron.daily to force cron.daily to run immediately and in the foreground, and then monitoring the process tree for anacron, I can confirm that the processes are indeed running as root:

# pstree -p -u 251498
anacron(251498)───run-parts(251499)─┬─0logwatch(251504)───logwatch(251507)─┬─sendmail(251603)
                                    │                                      └─sh(251944)───sh(251945)───perl(251949)
                                    └─sed(251505)

# ps -ef | grep 251603
root      251603  251507  0 09:34 pts/28   00:00:00 /usr/sbin/sendmail -t

Oh interesting… when run this way – it worked fine and sent the email as expected.

Ok, it does appear to be an selinux issue after all (for some reason sealert didn’t alert on it, but the entries are in sealert and in the audit.log).

I have created this Bugzilla via sealert.