Bug 242899 - updatedb AVC denial
Summary: updatedb AVC denial
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-06 10:18 UTC by Ingemar Nilsson
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2007-08-22 14:10:33 UTC

Attachments (Terms of Use)

Description Ingemar Nilsson 2007-06-06 10:18:01 UTC
Description of problem:

Version-Release number of selected component (if applicable):

From setroubleshoot:

Affected RPM Packages:
mlocate-0.16-1 [application]
filesystem-2.4.6-1.fc7 [target]

How reproducible:


Steps to Reproduce:
1. Install Fedora 7 to dual-boot with Windows
2. Make mount points for your Windows partitions (mine are in /mnt/win/[c,e,f])
3. Add your Windows partitions to /etc/fstab so that they are mounted on boot
4. Wait for updatedb to run
Actual results:

AVC denial pops up in the notification area

Expected results:

No AVC denials

Additional info:

There seem to be a bug in one of the SELinux utilities, since the output below
claims that / has a dosfs_t context. It hasn't. /mnt/win/[c,e] have dosfs_t
contexts. I got a similar message to the one below that had the following summary:

SELinux is preventing /usr/bin/updatedb (locate_t) "read" to / (fusefs_t).

This probably refers to /mnt/win/f, which is an NTFS partition, and has this
SELinux context. Anyway, below is the complete output of setroubleshoot for the
first updatedb avc denial:

SELinux is preventing /usr/bin/updatedb (locate_t) "read" to / (dosfs_t).

Detailed Description
SELinux denied access requested by /usr/bin/updatedb. It is not expected that
this access is required by /usr/bin/updatedb and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /, restorecon -v / If this does not work,
there is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see FAQ Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:locate_t
Target Context:  system_u:object_r:dosfs_t
Target Objects:  / [ dir ]
Affected RPM Packages:  mlocate-0.16-1 [application]filesystem-2.4.6-1.fc7 [target]
Policy RPM:  selinux-policy-2.6.4-8.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  tyrannosaurus
Platform:  Linux tyrannosaurus 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT
2007 i686 i686
Alert Count:  2
First Seen:  Wed 06 Jun 2007 11:54:29 AM CEST
Last Seen:  Wed 06 Jun 2007 11:54:29 AM CEST
Local ID:  8f00d031-1e9a-453d-9d77-09b73e1d1a48
Line Numbers:

Raw Audit Messages :avc: denied { read } for comm="updatedb" dev=sda1 egid=0
euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=10325 scontext=system_u:system_r:locate_t:s0 sgid=0
subj=system_u:system_r:locate_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:dosfs_t:s0 tty=(none) uid=0

Comment 1 Miloslav Trmač 2007-06-06 13:43:41 UTC
Thanks for your report.

This is a stronger version of #239722; if the file system is not excluded,
getattr is not enough for updatedb.

Comment 2 Daniel Walsh 2007-06-06 15:42:09 UTC
Fixed in selinux-policy-2.6.4-13

Comment 3 Ingemar Nilsson 2007-06-07 14:57:50 UTC
I have gotten another updatedb AVC denial. Is it suggested that I file a new bug
report or can I put it here? Anyway, here goes (if you want me to file another
report, just say so). This one is more cryptic than the last one:

SELinux is preventing /usr/bin/updatedb (locate_t) "search" to (kernel_t).

Raw Audit Messages
:avc: denied { search } for comm="updatedb" egid=0 euid=0
exe="/usr/bin/updatedb" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=21924
scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0
suid=0 tclass=key tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0

Comment 4 Daniel Walsh 2007-06-11 12:36:26 UTC
FIxed in selinux-policy-2.6.4-14.

Comment 5 Daniel Walsh 2007-08-22 14:10:33 UTC
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.