Summary: SELinux is preventing /usr/bin/updatedb "getattr" access on /proc/. Detailed Description: SELinux denied access requested by updatedb. It is not expected that this access is required by updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 Target Objects /proc/<pid> [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host (removed) Source RPM Packages mlocate-0.22.2-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Alert Count 162 First Seen Fri 12 Jun 2009 05:46:20 PM CDT Last Seen Sun 14 Feb 2010 03:10:02 AM CST Local ID e85b5391-4883-46ad-8a31-96614c156f10 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1266138602.937:149): avc: denied { getattr } for pid=6418 comm="updatedb" path="/proc/6417" dev=proc ino=30191 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dir node=(removed) type=SYSCALL msg=audit(1266138602.937:149): arch=c000003e syscall=6 success=no exit=-13 a0=1c9b2e9 a1=7fff8838e900 a2=7fff8838e900 a3=370cd24590 items=0 ppid=6416 pid=6418 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-78.fc12,catchall,updatedb,locate_t,system_cronjob_t,dir,getattr audit2allow suggests: #============= locate_t ============== allow locate_t system_cronjob_t:dir getattr;
Did you do something to cause locate to look in proc? grep proc /etc/updatedb.conf PRUNEFS = "9p afs anon_inodefs auto autofs bdev binfmt_misc cgroup cifs coda configfs cpuset debugfs devpts ecryptfs exofs fuse fusectl gfs gfs2 hugetlbfs inotifyfs iso9660 jffs2 lustre mqueue ncpfs nfs nfs4 nfsd pipefs proc ramfs rootfs rpc_pipefs securityfs selinuxfs sfs sockfs sysfs tmpfs ubifs udf usbfs" Is is not supposed to go into this directory.
I don't think so. updatedb gets called from a script in /etc/cron.daily called updatedb, which reads as follows: nice -n 5 updatedb My /etc/updatedb.conf is the stock file that came with the distro: PRUNE_BIND_MOUNTS = "yes" PRUNEFS = "auto afs gfs gfs2 iso9660 sfs udf" PRUNENAMES = ".git .hg .svn" PRUNEPATHS = "/afs /media /net /sfs /tmp /udev /var/cache/ccache /var/spool/cups /var/spool/squid /var/tmp" So I guess while I didn't do anything to cause it to look in proc I also didn't do anything to cause it to NOT look in proc. Perhaps proc ought to be added to the /etc/updatedb.conf file that ships with the RPM?
Seems to be fixed in F13?
Well, F13 includes the nodev filesystems in default PRUNEFS, which avoids the problem. Users might in theory still want to build a locate database for /proc.
Can we get this back into F12? RHEL6?
mlocate-0.22.2-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mlocate-0.22.2-2.fc12
*** Bug 570669 has been marked as a duplicate of this bug. ***
mlocate-0.22.2-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.