Description of problem: Version-Release number of selected component (if applicable): From setroubleshoot: Affected RPM Packages: mlocate-0.16-1 [application] filesystem-2.4.6-1.fc7 [target] How reproducible: Always Steps to Reproduce: 1. Install Fedora 7 to dual-boot with Windows 2. Make mount points for your Windows partitions (mine are in /mnt/win/[c,e,f]) 3. Add your Windows partitions to /etc/fstab so that they are mounted on boot 4. Wait for updatedb to run Actual results: AVC denial pops up in the notification area Expected results: No AVC denials Additional info: There seem to be a bug in one of the SELinux utilities, since the output below claims that / has a dosfs_t context. It hasn't. /mnt/win/[c,e] have dosfs_t contexts. I got a similar message to the one below that had the following summary: SELinux is preventing /usr/bin/updatedb (locate_t) "read" to / (fusefs_t). This probably refers to /mnt/win/f, which is an NTFS partition, and has this SELinux context. Anyway, below is the complete output of setroubleshoot for the first updatedb avc denial: Summary SELinux is preventing /usr/bin/updatedb (locate_t) "read" to / (dosfs_t). Detailed Description SELinux denied access requested by /usr/bin/updatedb. It is not expected that this access is required by /usr/bin/updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:locate_t Target Context: system_u:object_r:dosfs_t Target Objects: / [ dir ] Affected RPM Packages: mlocate-0.16-1 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM: selinux-policy-2.6.4-8.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: tyrannosaurus Platform: Linux tyrannosaurus 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 Alert Count: 2 First Seen: Wed 06 Jun 2007 11:54:29 AM CEST Last Seen: Wed 06 Jun 2007 11:54:29 AM CEST Local ID: 8f00d031-1e9a-453d-9d77-09b73e1d1a48 Line Numbers: Raw Audit Messages :avc: denied { read } for comm="updatedb" dev=sda1 egid=0 euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=10325 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:dosfs_t:s0 tty=(none) uid=0
Thanks for your report. This is a stronger version of #239722; if the file system is not excluded, getattr is not enough for updatedb.
Fixed in selinux-policy-2.6.4-13
I have gotten another updatedb AVC denial. Is it suggested that I file a new bug report or can I put it here? Anyway, here goes (if you want me to file another report, just say so). This one is more cryptic than the last one: Summary SELinux is preventing /usr/bin/updatedb (locate_t) "search" to (kernel_t). Raw Audit Messages :avc: denied { search } for comm="updatedb" egid=0 euid=0 exe="/usr/bin/updatedb" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=21924 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=key tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0
FIxed in selinux-policy-2.6.4-14.
Closing as fixes are in the current release