What | Removed | Added |
---|---|---|
CC | tyuan@suse.com |
I am testing the maintenance update for this mlocate package. The version is mlocate-0.26-5.3.6. I ran updatedb as root and got some "DENIED" on sles15-x86_64 and sles13-s390. s15:~ # grep updatedb /var/log/audit/audit.log type=AVC msg=audit(1536134878.010:4429): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/updatedb" pid=18068 comm="apparmor_parser" type=AVC msg=audit(1536135067.359:4436): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/bin/updatedb" pid=18194 comm="apparmor_parser" type=AVC msg=audit(1536135093.595:4478): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=18357 comm="updatedb" capability=2 capname="dac_read_search" type=AVC msg=audit(1536135093.595:4479): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=18357 comm="updatedb" capability=1 capname="dac_override" s390vsl082:~ # grep updatedb /var/log/audit/audit.log type=AVC msg=audit(1536136495.574:42496): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/updatedb" pid=50265 comm="apparmor_parser" type=AVC msg=audit(1536136521.994:42537): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=50426 comm="updatedb" capability=2 capname="dac_read_search" type=AVC msg=audit(1536136521.994:42538): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=50426 comm="updatedb" capability=1 capname="dac_override" type=AVC msg=audit(1536136522.024:42539): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=50426 comm="updatedb" capability=3 capname="fowner" Is there something wrong with the profile?