Summary: SELinux is preventing /usr/bin/updatedb "getattr" access on /var/named/chroot/var/named/chroot/dev/random. Detailed Description: SELinux denied access requested by updatedb. It is not expected that this access is required by updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:named_zone_t:s0 Target Objects /var/named/chroot/var/named/chroot/dev/random [ chr_file ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host (removed) Source RPM Packages mlocate-0.22.2-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-116.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.14-127.fc12.x86_64 #1 SMP Fri May 28 04:30:39 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Thu 17 Jun 2010 03:15:58 AM EDT Last Seen Thu 17 Jun 2010 03:15:58 AM EDT Local ID 4b85881d-672b-4dfd-ac8a-3faa7c2c5d59 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1276758958.483:60402): avc: denied { getattr } for pid=4078 comm="updatedb" path="/var/named/chroot/var/named/chroot/dev/random" dev=sda3 ino=23529858 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1276758958.483:60402): arch=c000003e syscall=6 success=no exit=-13 a0=7d3bf9 a1=7fffaaebef20 a2=7fffaaebef20 a3=8028 items=0 ppid=4072 pid=4078 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=321 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,updatedb,locate_t,named_zone_t,chr_file,getattr audit2allow suggests: #============= locate_t ============== #!!!! This avc is allowed in the current policy allow locate_t named_zone_t:chr_file getattr;
(Please ignore the '!!!! This avc is allowed.." above -- that's due to a local rule allowing it which was inserted before running selinux-troubleshooter) The problem occurs when having the mlocate package installed at the same time as the bind-chroot package.
You need to do the following commands # semanage fcontext -a -e /var/named/chroot /var/named/chroot/var/named/chroot # restorecon -R -v /var/named/chroot/var/named/ This will tell SELinux to label everything under /var/named/chroot/var/named/chroot as if it was under /var/named/chroot/.
Miroslav: That won't help. /etc/selinux/targeted/context/files/file_contexts has the following rules: /var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t:s0 ... /var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0 Since this is /var/named/chroot/var/named/chroot/dev/random, the first rule gets applied. Which is why the file becomes named_zone_t instead of random_device_t. The reason why it's /var/named/chroot/var/named/chroot/dev/random and not /var/named/chroot/dev/random as the selinux context rules expect, is because it's an upgrade from F10->F11->F2, and has a backwards pointing symlink that the F12 upgrade of bind-chroot followed. In case someone else stumbles upon the same, the correct fix is to remove the symlink and move the subdirectories to where they are expected now (or mknod the /var/named/chroot/dev/* devices manually in the right place).