Mailinglist Archive: opensuse-support (97 mails)

< Previous Next >
Re: [opensuse-support] updatedb now fails for regular user with local db
Hello,

Am Montag, 26. November 2018, 11:24:33 CET schrieb Carlos E. R.:
On 26/11/2018 10.49, Ralph wrote:
On Sun, 25 Nov 2018 20:01:33 -0500

Patrick Shanahan <paka@xxxxxxxxxxxx> wrote:
* Ralph <suselist@xxxxxxxxxxxx> [11-25-18 19:50]:
[os Leap 15, xfce]

I have a private mlocate database in my /home.

Nobody told me about that when I created and submitted an AppArmor
profile for locate and updatedb ;-)

This also means that I'm not surprised that you get a "permission
denied" error.

Did that. My google-fu is really weak but it seems the Nov 17 update
to mlocate was to fix a problem with mlocate/updatedb permissions
related to apparmor,

I'd have to check the details, but I'm quite sure that this update added
the AppArmor profile.

https://bugzilla.opensuse.org/show_bug.cgi?id=1089594

I'm having trouble following the logic of that bug chat as my
knowledge of apparmor is slim to none, especially at 3:30 am here.
What's it say there? 8-/

That bug was about adding the AppArmor profiles (as security
improvement) and, starting at comment 4, that the updatedb profile needs
some capabilities added that weren't part of the initial profile.

Move the file "/etc/apparmor.d/usr.bin.locate" temporarily somewhere
else, restart apparmour, and try again with locate. If it works, open
a bugzilla.

That won't work - reloading apparmor no longer unloads unknown profiles.
You'll need to run aa-remove-unknown - but before you do that, check
the release notes for details and the reason for this change.

If you really want to disable a profile, use aa-disable, but I don't
recommend that.

Instead, switch the profile to complain (learning) mode with
aa-complain, and after updating the profile, switch it back to enforce
mode with aa-logprof.

Alternative.

Run "aa-logprof", hopefully it says something about something in
locate being denied and gives you the chance to allow it.

Exactly, aa-logprof will help to update the profile easily.


That said, you can also update the profiles manually:

In /etc/apparmor.d/usr.bin.locate, add
/home/rsil/Downloads/rsildb r,

In /etc/apparmor.d/usr.bin.updatedb, add
/home/rsil/Downloads/rsildb rwk,
/home/rsil/Downloads/rsildb.?????? rw,

Then run rcapparmor reload and everything should work as expected.


Notice to myself: the updatedb and locate profiles should have a local/
include so that you don't need to modify the packaged profiles.


Regards,

Christian Boltz
--
Was schlagen sie vor, Prof. Dr. cvs. Boltz? :-)
[Ratti in fontlinge-devel]



--
To unsubscribe, e-mail: opensuse-support+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-support+owner@xxxxxxxxxxxx

< Previous Next >
References