Red Hat Bugzilla – Bug 969085
SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory /home.
Last modified: 2013-10-25 07:39:53 EDT
Description of problem: Regularly hapens in the FC18. If I'm not wrong that started to appear after some update. SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory /home. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mandb should be allowed search access on the home directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mandb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mandb_t:s0-s0:c0.c1023 Target Context system_u:object_r:home_root_t:s0 Target Objects /home [ dir ] Source mandb Source Path /usr/bin/mandb Port <Unknown> Host (removed) Source RPM Packages man-db-2.6.3-2.fc18.i686 Target RPM Packages filesystem-3.1-2.fc18.i686 Policy RPM selinux-policy-3.11.1-96.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.2-200.fc18.i686 #1 SMP Mon May 13 14:48:23 UTC 2013 i686 i686 Alert Count 4 First Seen 2013-05-27 11:34:03 EDT Last Seen 2013-05-30 10:28:03 EDT Local ID 3b144d29-28cd-4d93-9f0e-9852902fa24b Raw Audit Messages type=AVC msg=audit(1369924083.950:1924): avc: denied { search } for pid=22850 comm="mandb" name="/" dev="sda3" ino=2 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1369924083.950:1924): arch=i386 syscall=stat64 success=no exit=ENOENT a0=bfd451a0 a1=bfd45264 a2=4e304000 a3=bfd451a0 items=0 ppid=22845 pid=22850 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=19 tty=(none) comm=mandb exe=/usr/bin/mandb subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null) Hash: mandb,mandb_t,home_root_t,dir,search audit2allow #============= mandb_t ============== allow mandb_t home_root_t:dir search; audit2allow -R require { type mandb_t; } #============= mandb_t ============== files_search_home(mandb_t) Additional info: hashmarkername: setroubleshoot kernel: 3.9.2-200.fc18.i686 type: libreport
Do you have man pages in /root? Is there any mention of root in /etc/man_db.conf Probably could be dontaudited. Might be a process looking at its homedir.
(In reply to Daniel Walsh from comment #1) > Do you have man pages in /root? > No, I don't. > Is there any mention of root in /etc/man_db.conf > "grep -i root /etc/man_db.conf" gives an empty output. Anyway, I'll attach my /etc/man_db.conf > Probably could be dontaudited. > > Might be a process looking at its homedir. That's the question, why it is looking to home direct ory at all?
Created attachment 756468 [details] /etc/man_db.conf
man-db has a configuration file in ~/.manpath. I have no SELinux experience, but wouldn't that account for this?
(In reply to Colin Watson from comment #4) > man-db has a configuration file in ~/.manpath. I have no SELinux > experience, but wouldn't that account for this? I don't have ~/.manpath file.
That's as may be, but man-db cannot possibly know that without looking for it.
Yes that would explain it. f690b8bd3df43cf208a162b8aa0866d78b3a13c2 adds this to git. 8763880cc0441abf06383717f3426c4091535a65
Back ported.