On 2023-02-02 12:31, Erwin Lam wrote:
On 01-02-2023 15:17, Carlos E. R. wrote:
On 2023-02-01 15:00, Bengt Gördén wrote:
Carlos E. R. wrote:
...
Hi Carlos,
The issue is caused by systemd hardening. Have a look at the file "/usr/lib/systemd/system/mlocate.service",in particular the line "ProtectKernelModules=true". This systemd setting not only prevents the service from loading any modules, but also denies the service access to directory "/lib/modules".
Wow. I would never have guessed that. [Unit] Description=Update locate database Documentation=man:updatedb [Service] # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectSystem=full ProtectHome=read-only PrivateDevices=true ProtectHostname=true ProtectClock=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true RestrictRealtime=true # end of automatic additions Type=oneshot ExecStart=/bin/sh -c \ "chown -R ${RUN_UPDATEDB_AS}:root /var/lib/mlocate && \ su --shell=/bin/sh ${RUN_UPDATEDB_AS} -c /usr/bin/updatedb" # Ensure we have proper umask bnc#941296 UMask=0022 # Alter the priority of the updatedb process Nice=19 IOSchedulingClass=2 IOSchedulingPriority=7 # Load sysconfig EnvironmentFile=/etc/sysconfig/locate -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.4)