TW : On 09/06/18 16:43, Patrick Shanahan wrote:

...

On 09/06/18 15:15, Patrick Shanahan wrote on factory :

...

* mike [06-09-18 08:09]:

...

On 06/09/2018 07:20 AM, Peter Suetterlin wrote:

...

...

Hi,

        I'm getting this after running updatedb -

                    can not open a temporary file for '/var/lib/mlocate/mlocate.db'

        I've had to remove mlocate then reinstall it and the first updatedb runs fine,

        then I get the above error message for the second run.....is there a better fix

        for this? Hmm, likely a permission issue. It normally runs as nobody (unless you change

mike wrote: that). Maybe the initial run when installing it is run as root? Then the DB is owned by root and cannot be changed. Or did you call updatedb yourself?             always run as root show: ls -la /var/lib/mlocate drwxr-xr-x 1 nobody root 20 Jun 9 00:15 . drwxr-xr-x 1 root root 1006 Jun 8 23:30 .. -rw-r--r-- 1 nobody nobody 16874246 Jun 9 00:15 mlocate.db

- Thank you Patrick

{ i have been told bu board-member to ask TW probs

 on opensuse-support }

 with TW i have adjusted chown & chmod as you suggest , but continue to get :

# updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db'

......

 - what to try next please? does some other process have mlocate.db open?

* ellanios82 [06-09-18 09:13]: ps -A auf |grep mlocate

 - Thank you very much Patrick # ps -A auf |grep mlocate : turn up nothing

still believe a perms problem, but ...

what about apparmor, cat /etc/apparmor.d/usr.bin.updatedb # Last Modified: Fri Apr 13 21:57:17 2018 #include

/usr/bin/updatedb { #include

/ r, /**/ r, /etc/updatedb.conf r, /usr/bin/updatedb mr, owner /proc/@{pid}/mounts r, /var/lib/mlocate/mlocate.db rwk, /var/lib/mlocate/mlocate.db.?????? rw,

}

  - believe likewise : # cat /etc/apparmor.d/usr.bin.updatedb # Last Modified: Fri Apr 13 21:57:17 2018 #include /usr/bin/updatedb {   #include   / r,   /**/ r,   /etc/updatedb.conf r,   /usr/bin/updatedb mr,   owner /proc/@{pid}/mounts r,   /var/lib/mlocate/mlocate.db rwk,   /var/lib/mlocate/mlocate.db.?????? rw, .........  - again : thank you Patrick .......  regards -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org

On 09/06/18 21:39, Christian Boltz wrote:

Hello,

Am Samstag, 9. Juni 2018, 15:43:08 CEST schrieb Patrick Shanahan:

...

* ellanios82 [06-09-18 09:13]:

...

# updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db' - what to try next please? what about apparmor, cat /etc/apparmor.d/usr.bin.updatedb This profile is quite new, so it might indeed be incomplete.

Please switch it to complain (learning) mode and try again: aa-complain /etc/apparmor.d/usr.bin.updatedb This will allow everything, and log what would be denied.

Yes : thank you very much : updatedb works now   :)) ...

If updatedb works now, the AppArmor profile needs an update. In this case, please grep updatedb /var/log/audit/audit.log and either paste the result here [1],

..... # grep updatedb /var/log/audit/audit.log type=AVC msg=audit(1528548146.284:171): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=6687 comm="updatedb" capability=1  capname="dac_override" type=AVC msg=audit(1528548244.938:172): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=6743 comm="updatedb" capability=1  capname="dac_override" type=AVC msg=audit(1528548317.456:173): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=6820 comm="updatedb" capability=1  capname="dac_override" type=AVC msg=audit(1528570200.931:175): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/updatedb" pid=18539 comm="apparmor_parser" type=AVC msg=audit(1528570244.906:176): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=1  capname="dac_override" type=AVC msg=audit(1528570244.946:177): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2  capname="dac_read_search" type=AVC msg=audit(1528570244.954:178): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3  capname="fowner" type=AVC msg=audit(1528570245.230:179): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2  capname="dac_read_search" type=AVC msg=audit(1528570245.230:180): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3  capname="fowner" type=AVC msg=audit(1528570245.378:181): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2  capname="dac_read_search" type=AVC msg=audit(1528570245.378:182): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3  capname="fowner" type=AVC msg=audit(1528570245.390:183): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2  capname="dac_read_search" type=AVC msg=audit(1528570245.390:184): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3  capname="fowner" ...........

or open a bugreport and attach it.

You can also update the profile yourself using aa-logprof (but again, please open a bugreport to get it fixed for everybody)

Oh, and don't forget to switch the profile back to enforce mode afterwards: aa-enforce /etc/apparmor.d/usr.bin.updatedb

Regards,

Christian Boltz

[1] use paste.opensuse.org if it's too big

 Thank you very much ..... -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org

Hello,

Am Samstag, 9. Juni 2018, 20:58:17 CEST schrieb ellanios82:
> type=AVC msg=audit(1528570244.906:176): apparmor="ALLOWED"
> operation="capable" profile="/usr/bin/updatedb" pid=18558
> comm="updatedb" capability=1  capname="dac_override"
> type=AVC msg=audit(1528570244.946:177): apparmor="ALLOWED"
> operation="capable" profile="/usr/bin/updatedb" pid=18558
> comm="updatedb" capability=2  capname="dac_read_search"
> type=AVC msg=audit(1528570244.954:178): apparmor="ALLOWED"
> operation="capable" profile="/usr/bin/updatedb" pid=18558
> comm="updatedb" capability=3  capname="fowner"

This means the AppArmor profile for updatedb needs the following 
additions:

  capability dac_override,  # maybe not, see below.
  capability dac_read_search,
  capability fowner,

I was able to reproduce this with
    RUN_UPDATEDB_AS=root
in /etc/sysconfig/locate

One interesting detail is that I got a denial for dac_override only 
once, and even that surprises me - updatedb cares about directory 
content (which might need dac_read_search [1]), but I have no idea why 
it would need dac_override.


As Carlos already told you, you should report in bugzilla that the 
profile needs some additions. Well, except this time because I just did 
the work and added a comment to 
https://bugzilla.opensuse.org/show_bug.cgi?id=1089594
;-)


Regards,

Christian Boltz

[1] for example    drwx------ cb users   /home/cb   - if root wants to 
    get a directory listing of that directory, dac_read_search is
    needed. dac_override would be needed to read or write a file like
    -rw------- cb users  /home/cb/somefile
    See   man 7 capabilities   for more details.

-- 
> what do I need to avoid?
* Belgian "Beer". At any cost.
[> Richard Brown and Henne Vogelsang in opensuse-project]



-- 
To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-support+owner@opensuse.org