Description of problem: AVC Denial Version-Release number of selected component (if applicable): $ rpm -qf /usr/bin/updatedb mlocate-0.16-1 How reproducible: Always Steps to Reproduce: 1. Configure Fedora7 with nis and automount 2. wait until the daily crontab runs mlocate.cron Actual results: setroubleshoot browser pops up with an AVC denial, see below: Summary SELinux is preventing /usr/bin/updatedb (locate_t) "write" to socket (nscd_var_run_t). Detailed Description SELinux denied access requested by /usr/bin/updatedb. It is not expected that this access is required by /usr/bin/updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for socket, restorecon -v socket If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:locate_t Target Context: system_u:object_r:nscd_var_run_t Target Objects: socket [ sock_file ] Affected RPM Packages: mlocate-0.16-1 [application] Policy RPM: selinux-policy-2.6.4-8.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: renault-5.secteam.juniper.net Platform: Linux renault-5.secteam.juniper.net 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 Alert Count: 2 First Seen: Fri 01 Jun 2007 06:56:37 PM PDT Last Seen: Fri 01 Jun 2007 06:56:37 PM PDT Local ID: 1dc7b2d5-f5ac-4d1f-9eb5-d576e820435a Line Numbers: Raw Audit Messages : avc: denied { write } for comm="updatedb" dev=dm-0 egid=0 euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="socket" pid=30631 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=sock_file tcontext=system_u:object_r:nscd_var_run_t:s0 tty=(none) uid=0 Expected results: No denial
Thanks for your report. This happens because updatedb looks up the GID of the [ms]locate group.
Fixed in selinux-policy-2.6.4-14