Mailinglist Archive: opensuse-support (159 mails)

< Previous Next >
Re: [opensuse-support] Re: [opensuse-factory] mlocate
Hello,

Am Samstag, 9. Juni 2018, 20:58:17 CEST schrieb ellanios82:
type=AVC msg=audit(1528570244.906:176): apparmor="ALLOWED"
operation="capable" profile="/usr/bin/updatedb" pid=18558
comm="updatedb" capability=1 capname="dac_override"
type=AVC msg=audit(1528570244.946:177): apparmor="ALLOWED"
operation="capable" profile="/usr/bin/updatedb" pid=18558
comm="updatedb" capability=2 capname="dac_read_search"
type=AVC msg=audit(1528570244.954:178): apparmor="ALLOWED"
operation="capable" profile="/usr/bin/updatedb" pid=18558
comm="updatedb" capability=3 capname="fowner"

This means the AppArmor profile for updatedb needs the following
additions:

capability dac_override, # maybe not, see below.
capability dac_read_search,
capability fowner,

I was able to reproduce this with
RUN_UPDATEDB_AS=root
in /etc/sysconfig/locate

One interesting detail is that I got a denial for dac_override only
once, and even that surprises me - updatedb cares about directory
content (which might need dac_read_search [1]), but I have no idea why
it would need dac_override.


As Carlos already told you, you should report in bugzilla that the
profile needs some additions. Well, except this time because I just did
the work and added a comment to
https://bugzilla.opensuse.org/show_bug.cgi?id=1089594
;-)


Regards,

Christian Boltz

[1] for example drwx------ cb users /home/cb - if root wants to
get a directory listing of that directory, dac_read_search is
needed. dac_override would be needed to read or write a file like
-rw------- cb users /home/cb/somefile
See man 7 capabilities for more details.

--
what do I need to avoid?
* Belgian "Beer". At any cost.
[> Richard Brown and Henne Vogelsang in opensuse-project]



--
To unsubscribe, e-mail: opensuse-support+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-support+owner@xxxxxxxxxxxx

< Previous Next >