Bug 800761 - SELinux is preventing /usr/bin/updatedb from 'read' accesses on the fichier updatedb.conf.
SELinux is preventing /usr/bin/updatedb from 'read' accesses on the fichier u...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-03-07 02:47 EST by Calvinhac Bruno
Modified: 2012-09-19 06:21 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-07 07:16:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Calvinhac Bruno 2012-03-07 02:47:52 EST
SELinux is preventing /usr/bin/updatedb from 'read' accesses on the fichier updatedb.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that updatedb should be allowed read access on the updatedb.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                updatedb.conf [ file ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           mlocate-0.24-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-51.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) #1
                              SMP Tue Feb 21 01:22:05 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    mer. 07 mars 2012 03:18:16 CET
Last Seen                     mer. 07 mars 2012 03:18:16 CET
Local ID                      ee227871-c69d-4135-ab84-f627cf7c3cd9

Raw Audit Messages
type=AVC msg=audit(1331086696.255:235): avc:  denied  { read } for  pid=19906 comm="updatedb" name="updatedb.conf" dev=sda1 ino=1835180 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1331086696.255:235): arch=x86_64 syscall=open success=no exit=EACCES a0=407643 a1=0 a2=1b6 a3=9 items=0 ppid=19900 pid=19906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=17 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash: updatedb,locate_t,initrc_tmp_t,file,read


#============= locate_t ==============
allow locate_t initrc_tmp_t:file read;

audit2allow -R

#============= locate_t ==============
allow locate_t initrc_tmp_t:file read;
Comment 1 Miroslav Grepl 2012-03-07 07:16:32 EST
You will need to run 

$ restorecon -R -v /etc/updatedb.con

to fix labeling. Not sure how it got this label.

initrc_tmp_t is for tmp files which are created by initrc_t domain type. This domain type is for unconfined services by default.

Did you setup this label?
Comment 2 Calvinhac Bruno 2012-03-09 14:00:40 EST

label fixing seems to be ok.
I never had to setup this type of label before ?!
Thx for your help.

Note You need to log in before you can comment on or make changes to this bug.