11 Jun
2018
11 Jun
'18
19:19
Hello, Am Samstag, 9. Juni 2018, 20:58:17 CEST schrieb ellanios82: > type=AVC msg=audit(1528570244.906:176): apparmor="ALLOWED" > operation="capable" profile="/usr/bin/updatedb" pid=18558 > comm="updatedb" capability=1 capname="dac_override" > type=AVC msg=audit(1528570244.946:177): apparmor="ALLOWED" > operation="capable" profile="/usr/bin/updatedb" pid=18558 > comm="updatedb" capability=2 capname="dac_read_search" > type=AVC msg=audit(1528570244.954:178): apparmor="ALLOWED" > operation="capable" profile="/usr/bin/updatedb" pid=18558 > comm="updatedb" capability=3 capname="fowner" This means the AppArmor profile for updatedb needs the following additions: capability dac_override, # maybe not, see below. capability dac_read_search, capability fowner, I was able to reproduce this with RUN_UPDATEDB_AS=root in /etc/sysconfig/locate One interesting detail is that I got a denial for dac_override only once, and even that surprises me - updatedb cares about directory content (which might need dac_read_search [1]), but I have no idea why it would need dac_override. As Carlos already told you, you should report in bugzilla that the profile needs some additions. Well, except this time because I just did the work and added a comment to https://bugzilla.opensuse.org/show_bug.cgi?id=1089594 ;-) Regards, Christian Boltz [1] for example drwx------ cb users /home/cb - if root wants to get a directory listing of that directory, dac_read_search is needed. dac_override would be needed to read or write a file like -rw------- cb users /home/cb/somefile See man 7 capabilities for more details. -- > what do I need to avoid? * Belgian "Beer". At any cost. [> Richard Brown and Henne Vogelsang in opensuse-project] -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org