Description of problem: SELinux is preventing updatedb (locate_t) "getattr" to /usr/share/sagator (sagator_t). Version-Release number of selected component (if applicable): see below How reproducible: Has only happened today since running ./autorelabel on reboot yesterday. Could be related to this bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=486685 Steps to Reproduce: 1. Not sure, probably related to the workaround I used to update sagator 2. 3. Actual results: Error below Expected results: no errors Additional info: Summary: SELinux is preventing updatedb (locate_t) "getattr" to /usr/share/sagator (sagator_t). Detailed Description: SELinux denied access requested by updatedb. It is not expected that this access is required by updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/sagator, restorecon -v '/usr/share/sagator' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:sagator_t:s0 Target Objects /usr/share/sagator [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host fedora10.sata1 Source RPM Packages mlocate-0.21.1-1 Target RPM Packages sagator-core-1.1.1-1.fc10 Policy RPM selinux-policy-3.5.13-46.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name fedora10.sata1 Platform Linux fedora10.sata1 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Thu 26 Feb 2009 04:19:27 AM MST Last Seen Thu 26 Feb 2009 04:19:27 AM MST Local ID 426f3de5-58b5-44ee-960e-be069add3528 Line Numbers Raw Audit Messages node=fedora10.sata1 type=AVC msg=audit(1235647167.100:13309): avc: denied { getattr } for pid=16332 comm="updatedb" path="/usr/share/sagator" dev=sda6 ino=3050510 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sagator_t:s0 tclass=dir node=fedora10.sata1 type=SYSCALL msg=audit(1235647167.100:13309): arch=c000003e syscall=6 success=no exit=-13 a0=1c6a4e9 a1=7fff37c16ca0 a2=7fff37c16ca0 a3=1c604e0 items=0 ppid=16326 pid=16332 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2482 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
I can't reproduce this on my system, trying to run "updatedb" manually, but still no audit messages in dmes/audit.log. May be it's possible to avoid this by removing sagator-selinux package, but it will run sagator without selinux protection. There are also more problems with current selinux policy and sagator's policy. Whole policy should be updated.
Your finding is interesting because the error has not repeated today. The system has no selinux policy updates since that last in updates testing, I have not run any selinux commands. It seems to have self corrected. If that changes, I'll update the ticket, but for now it seems to be fine.
This bug is fixed upstream in sagator-1.2.0, but it's not easy to implement this in Fedora 10. But I am seeing, that updatedb is running on my Fedora 10 box as unconfined_t, which can access sagator_*_t files, so there is no problem in current releases. Closing this bug. Reopen it, if you still have problems.