[opensuse-support] Re: [opensuse-factory] mlocate
On 09/06/18 15:15, Patrick Shanahan wrote on factory :
* mike
[06-09-18 08:09]: On 06/09/2018 07:20 AM, Peter Suetterlin wrote:
Hi,
I'm getting this after running updatedb -
can not open a temporary file for '/var/lib/mlocate/mlocate.db'
I've had to remove mlocate then reinstall it and the first updatedb runs fine,
then I get the above error message for the second run.....is there a better fix
for this? Hmm, likely a permission issue. It normally runs as nobody (unless you change
mike wrote: that). Maybe the initial run when installing it is run as root? Then the DB is owned by root and cannot be changed. Or did you call updatedb yourself? always run as root
show: ls -la /var/lib/mlocate drwxr-xr-x 1 nobody root 20 Jun 9 00:15 . drwxr-xr-x 1 root root 1006 Jun 8 23:30 .. -rw-r--r-- 1 nobody nobody 16874246 Jun 9 00:15 mlocate.db
- Thank you Patrick { i have been told bu board-member to ask TW probs on opensuse-support } with TW i have adjusted chown & chmod as you suggest , but continue to get : # updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db' ...... - what to try next please? thanks regards .... -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
* ellanios82
On 09/06/18 15:15, Patrick Shanahan wrote on factory :
* mike
[06-09-18 08:09]: On 06/09/2018 07:20 AM, Peter Suetterlin wrote:
Hi,
I'm getting this after running updatedb -
can not open a temporary file for '/var/lib/mlocate/mlocate.db'
I've had to remove mlocate then reinstall it and the first updatedb runs fine,
then I get the above error message for the second run.....is there a better fix
for this? Hmm, likely a permission issue. It normally runs as nobody (unless you change
mike wrote: that). Maybe the initial run when installing it is run as root? Then the DB is owned by root and cannot be changed. Or did you call updatedb yourself? always run as root
show: ls -la /var/lib/mlocate drwxr-xr-x 1 nobody root 20 Jun 9 00:15 . drwxr-xr-x 1 root root 1006 Jun 8 23:30 .. -rw-r--r-- 1 nobody nobody 16874246 Jun 9 00:15 mlocate.db
- Thank you Patrick
{ i have been told bu board-member to ask TW probs
on opensuse-support }
with TW i have adjusted chown & chmod as you suggest , but continue to get :
# updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db'
......
- what to try next please?
does some other process have mlocate.db open?
ps -A auf |grep mlocate
still believe a perms problem, but ...
what about apparmor,
cat /etc/apparmor.d/usr.bin.updatedb
# Last Modified: Fri Apr 13 21:57:17 2018
#include
TW : On 09/06/18 16:43, Patrick Shanahan wrote:
On 09/06/18 15:15, Patrick Shanahan wrote on factory :
* mike
[06-09-18 08:09]: On 06/09/2018 07:20 AM, Peter Suetterlin wrote:
Hi,
I'm getting this after running updatedb -
can not open a temporary file for '/var/lib/mlocate/mlocate.db'
I've had to remove mlocate then reinstall it and the first updatedb runs fine,
then I get the above error message for the second run.....is there a better fix
for this? Hmm, likely a permission issue. It normally runs as nobody (unless you change
mike wrote: that). Maybe the initial run when installing it is run as root? Then the DB is owned by root and cannot be changed. Or did you call updatedb yourself? always run as root show: ls -la /var/lib/mlocate drwxr-xr-x 1 nobody root 20 Jun 9 00:15 . drwxr-xr-x 1 root root 1006 Jun 8 23:30 .. -rw-r--r-- 1 nobody nobody 16874246 Jun 9 00:15 mlocate.db
- Thank you Patrick
{ i have been told bu board-member to ask TW probs
on opensuse-support }
with TW i have adjusted chown & chmod as you suggest , but continue to get :
# updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db'
......
- what to try next please? does some other process have mlocate.db open?
* ellanios82
[06-09-18 09:13]: ps -A auf |grep mlocate
- Thank you very much Patrick # ps -A auf |grep mlocate : turn up nothing
still believe a perms problem, but ...
what about apparmor, cat /etc/apparmor.d/usr.bin.updatedb # Last Modified: Fri Apr 13 21:57:17 2018 #include
/usr/bin/updatedb { #include
/ r, /**/ r, /etc/updatedb.conf r, /usr/bin/updatedb mr, owner /proc/@{pid}/mounts r, /var/lib/mlocate/mlocate.db rwk, /var/lib/mlocate/mlocate.db.?????? rw,
}
- believe likewise :
# cat /etc/apparmor.d/usr.bin.updatedb
# Last Modified: Fri Apr 13 21:57:17 2018
#include
Hello, Am Samstag, 9. Juni 2018, 15:43:08 CEST schrieb Patrick Shanahan:
* ellanios82
[06-09-18 09:13]:
# updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db'
- what to try next please?
what about apparmor, cat /etc/apparmor.d/usr.bin.updatedb
This profile is quite new, so it might indeed be incomplete. Please switch it to complain (learning) mode and try again: aa-complain /etc/apparmor.d/usr.bin.updatedb This will allow everything, and log what would be denied. If updatedb works now, the AppArmor profile needs an update. In this case, please grep updatedb /var/log/audit/audit.log and either paste the result here [1], or open a bugreport and attach it. You can also update the profile yourself using aa-logprof (but again, please open a bugreport to get it fixed for everybody) Oh, and don't forget to switch the profile back to enforce mode afterwards: aa-enforce /etc/apparmor.d/usr.bin.updatedb Regards, Christian Boltz [1] use paste.opensuse.org if it's too big -- Ich habe es satt, gegen die YaSTs [Linuxconfs, ...] dieser Welt zu kämpfen, die schlauer sein wollen als ich. Ich will keine "Bootgrafiken", die die bösen, hässlichen Startmeldungen verdecken. Und ich will keinen Installer, der mir Partitionierungs"vorschläge" macht ("Nackenschläge" wäre zutreffender). [Ratti in suse-linux] -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 09/06/18 21:39, Christian Boltz wrote:
Hello,
Am Samstag, 9. Juni 2018, 15:43:08 CEST schrieb Patrick Shanahan:
* ellanios82
[06-09-18 09:13]: # updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db' - what to try next please? what about apparmor, cat /etc/apparmor.d/usr.bin.updatedb This profile is quite new, so it might indeed be incomplete.
Please switch it to complain (learning) mode and try again: aa-complain /etc/apparmor.d/usr.bin.updatedb This will allow everything, and log what would be denied.
Yes : thank you very much : updatedb works now :)) ...
If updatedb works now, the AppArmor profile needs an update. In this case, please grep updatedb /var/log/audit/audit.log and either paste the result here [1],
..... # grep updatedb /var/log/audit/audit.log type=AVC msg=audit(1528548146.284:171): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=6687 comm="updatedb" capability=1 capname="dac_override" type=AVC msg=audit(1528548244.938:172): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=6743 comm="updatedb" capability=1 capname="dac_override" type=AVC msg=audit(1528548317.456:173): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=6820 comm="updatedb" capability=1 capname="dac_override" type=AVC msg=audit(1528570200.931:175): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/updatedb" pid=18539 comm="apparmor_parser" type=AVC msg=audit(1528570244.906:176): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=1 capname="dac_override" type=AVC msg=audit(1528570244.946:177): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2 capname="dac_read_search" type=AVC msg=audit(1528570244.954:178): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3 capname="fowner" type=AVC msg=audit(1528570245.230:179): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2 capname="dac_read_search" type=AVC msg=audit(1528570245.230:180): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3 capname="fowner" type=AVC msg=audit(1528570245.378:181): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2 capname="dac_read_search" type=AVC msg=audit(1528570245.378:182): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3 capname="fowner" type=AVC msg=audit(1528570245.390:183): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2 capname="dac_read_search" type=AVC msg=audit(1528570245.390:184): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3 capname="fowner" ...........
or open a bugreport and attach it.
You can also update the profile yourself using aa-logprof (but again, please open a bugreport to get it fixed for everybody)
Oh, and don't forget to switch the profile back to enforce mode afterwards: aa-enforce /etc/apparmor.d/usr.bin.updatedb
Regards,
Christian Boltz
[1] use paste.opensuse.org if it's too big
Thank you very much ..... -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 2018-06-09 20:58, ellanios82 wrote:
On 09/06/18 21:39, Christian Boltz wrote:
Hello,
Am Samstag, 9. Juni 2018, 15:43:08 CEST schrieb Patrick Shanahan:
* ellanios82
[06-09-18 09:13]: # updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db' - what to try next please? what about apparmor, cat /etc/apparmor.d/usr.bin.updatedb This profile is quite new, so it might indeed be incomplete.
Please switch it to complain (learning) mode and try again: aa-complain /etc/apparmor.d/usr.bin.updatedb This will allow everything, and log what would be denied.
Yes : thank you very much : updatedb works now :)) ...
Remember that this is not a solution. This is a method to find out what apparmour rule is blocking updatedb.
If updatedb works now, the AppArmor profile needs an update. In this case, please grep updatedb /var/log/audit/audit.log and either paste the result here [1],
..... # grep updatedb /var/log/audit/audit.log type=AVC msg=audit(1528548146.284:171): apparmor="DENIED" operation="capable" profile="/usr/bin/updatedb" pid=6687 comm="updatedb" capability=1 capname="dac_override"
And this is it. You have to do this below:
or open a bugreport and attach it.
You can also update the profile yourself using aa-logprof (but again, please open a bugreport to get it fixed for everybody)
Oh, and don't forget to switch the profile back to enforce mode afterwards: aa-enforce /etc/apparmor.d/usr.bin.updatedb
-- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Hello, Am Samstag, 9. Juni 2018, 20:58:17 CEST schrieb ellanios82: > type=AVC msg=audit(1528570244.906:176): apparmor="ALLOWED" > operation="capable" profile="/usr/bin/updatedb" pid=18558 > comm="updatedb" capability=1 capname="dac_override" > type=AVC msg=audit(1528570244.946:177): apparmor="ALLOWED" > operation="capable" profile="/usr/bin/updatedb" pid=18558 > comm="updatedb" capability=2 capname="dac_read_search" > type=AVC msg=audit(1528570244.954:178): apparmor="ALLOWED" > operation="capable" profile="/usr/bin/updatedb" pid=18558 > comm="updatedb" capability=3 capname="fowner" This means the AppArmor profile for updatedb needs the following additions: capability dac_override, # maybe not, see below. capability dac_read_search, capability fowner, I was able to reproduce this with RUN_UPDATEDB_AS=root in /etc/sysconfig/locate One interesting detail is that I got a denial for dac_override only once, and even that surprises me - updatedb cares about directory content (which might need dac_read_search [1]), but I have no idea why it would need dac_override. As Carlos already told you, you should report in bugzilla that the profile needs some additions. Well, except this time because I just did the work and added a comment to https://bugzilla.opensuse.org/show_bug.cgi?id=1089594 ;-) Regards, Christian Boltz [1] for example drwx------ cb users /home/cb - if root wants to get a directory listing of that directory, dac_read_search is needed. dac_override would be needed to read or write a file like -rw------- cb users /home/cb/somefile See man 7 capabilities for more details. -- > what do I need to avoid? * Belgian "Beer". At any cost. [> Richard Brown and Henne Vogelsang in opensuse-project] -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
participants (4)
-
Carlos E. R.
-
Christian Boltz
-
ellanios82
-
Patrick Shanahan