Bug 800761 - SELinux is preventing /usr/bin/updatedb from 'read' accesses on the fichier updatedb.conf.
Summary: SELinux is preventing /usr/bin/updatedb from 'read' accesses on the fichier u...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b7955fcf6d8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-07 07:47 UTC by Calvinhac Bruno
Modified: 2012-09-19 10:21 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-03-07 12:16:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Calvinhac Bruno 2012-03-07 07:47:52 UTC
SELinux is preventing /usr/bin/updatedb from 'read' accesses on the fichier updatedb.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that updatedb should be allowed read access on the updatedb.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                updatedb.conf [ file ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           mlocate-0.24-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-51.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.42.7-1.fc15.x86_64 #1
                              SMP Tue Feb 21 01:22:05 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    mer. 07 mars 2012 03:18:16 CET
Last Seen                     mer. 07 mars 2012 03:18:16 CET
Local ID                      ee227871-c69d-4135-ab84-f627cf7c3cd9

Raw Audit Messages
type=AVC msg=audit(1331086696.255:235): avc:  denied  { read } for  pid=19906 comm="updatedb" name="updatedb.conf" dev=sda1 ino=1835180 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1331086696.255:235): arch=x86_64 syscall=open success=no exit=EACCES a0=407643 a1=0 a2=1b6 a3=9 items=0 ppid=19900 pid=19906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash: updatedb,locate_t,initrc_tmp_t,file,read

audit2allow

#============= locate_t ==============
allow locate_t initrc_tmp_t:file read;

audit2allow -R

#============= locate_t ==============
allow locate_t initrc_tmp_t:file read;

Comment 1 Miroslav Grepl 2012-03-07 12:16:32 UTC
You will need to run 

$ restorecon -R -v /etc/updatedb.con

to fix labeling. Not sure how it got this label.

initrc_tmp_t is for tmp files which are created by initrc_t domain type. This domain type is for unconfined services by default.

Did you setup this label?

Comment 2 Calvinhac Bruno 2012-03-09 19:00:40 UTC
Hi,

label fixing seems to be ok.
I never had to setup this type of label before ?!
Thx for your help.


Note You need to log in before you can comment on or make changes to this bug.