Description of problem: updatedb triggers SELinux denial Version-Release number of selected component (if applicable): mlocate-0.22-1.i586 How reproducible: Steps to Reproduce: Actual results: Source Context: system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context: system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects: socket [ tcp_socket ] Source: updatedbSource Path: /usr/bin/updatedbPort: <Unknown> Host: pig Source RPM Packages: mlocate-0.22-1 Target RPM Packages: Policy RPM: selinux-policy-3.6.12-69.fc11 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall Host Name: pig Platform: Linux pig 2.6.29.6-217.2.3.fc11.i686.PAE #1 SMP Wed Jul 29 16:05:22 EDT 2009 i686 athlon Alert Count: 4 First Seen: Fri 07 Aug 2009 03:47:14 EST Last Seen: Tue 11 Aug 2009 09:09:20 EST Local ID: a33a5980-9952-46be-a49d-976805cf1063 Line Numbers: Raw Audit Messages : node=pig type=AVC msg=audit(1249945760.74:27958): avc: denied { read write } for pid=3784 comm="updatedb" path="socket:[108115]" dev=sockfs ino=108115 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket node=pig type=SYSCALL msg=audit(1249945760.74:27958): arch=40000003 syscall=11 success=yes exit=0 a0=841bab0 a1=841bf78 a2=841c1d8 a3=841bf78 items=0 ppid=3778 pid=3784 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) Expected results: Additional info:
selinux-policy maintainers, can you take a look, please? "read/write" on a socket during execve() - is that perhaps caused by a file descriptor that cron should have closed?
This is a bug that I believe is fixed in nss_ldap-264-6.fc11
nss_ldap-264-6.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/nss_ldap-264-6.fc11
nss_ldap-264-6.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/nss_ldap-264-6.fc10
nss_ldap-264-6.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nss_ldap'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8564
nss_ldap-264-6.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nss_ldap'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8617
I have installed nss_ldap-264-6.fc11 ; will give it a few days to see if SELinux denial occurs again or not.
After 6 days error did not appear. Manual run of updatedb did not produce the error. So I'd say it's fixed (at least for me)