On 2023-02-02 10:53, Per Jessen wrote:
Carlos E. R. wrote:
I had a hunch, and apparmour is complaining:
Complaining about what? :-) You left out the most useful bit of information ...
I posted the output from AA.
I didn't see any. All I saw was some diff output ?
Printed by AA at the end.
It needed this:
/usr/bin/locate mr, /var/lib/mlocate/mlocate.db r,
Funny that those should be missing in Leap 15.4 - that apparmor profile is quite old. (2018).
Yes, funny.
Hmm, I just looked at the 'mlocate' package in Leap 15.4, those two lines _are_ in the profile. I think we have some disconnect?
Maybe my file was not replaced. :-? My file in backup (Apr 15 2022): # Last Modified: Fri Apr 15 20:39:33 2022 #include <tunables/global> /usr/bin/locate { #include <abstractions/base> #include <abstractions/nameservice> capability setgid, /usr/bin/locate mr, /var/lib/mlocate/mlocate.db r, } My current file is: # Last Modified: Wed Feb 1 22:27:50 2023 include <tunables/global> /usr/bin/locate { include <abstractions/base> include <abstractions/nameservice> capability setgid, /usr/bin/locate mr, /var/lib/mlocate/mlocate.db r, } Just the comment symbol. I didn't interpret correctly the diff, which is normal in me :-}
Wait, I have the audit log:
Telcontar:~ # grep "usr/bin/locate\|/var/lib/mlocate/mlocate.db" /var/log/audit/* /var/log/audit/audit.log.1:type=AVC msg=audit(1675247354.543:1682): apparmor="DENIED" operation="capable" profile="/usr/bin/locate" pid=26774 comm="locate" capability=6 capname="setgid"
Okay - setgid, that is not in the profile. Nor is it in tw.
But it is in mine, and in my backup. It is possible that the upgrade to 15.4 reset it, so now aa complains again and I had to put it back. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)