Mailinglist Archive: opensuse-support (97 mails)

< Previous Next >
Re: [opensuse-support] updatedb now fails for regular user with local db
On 26/11/2018 12.56, Christian Boltz wrote:
Hello,

Am Montag, 26. November 2018, 11:24:33 CET schrieb Carlos E. R.:
On 26/11/2018 10.49, Ralph wrote:
On Sun, 25 Nov 2018 20:01:33 -0500
Patrick Shanahan <> wrote:
* Ralph <> [11-25-18 19:50]:
[os Leap 15, xfce]

I have a private mlocate database in my /home.

Nobody told me about that when I created and submitted an AppArmor
profile for locate and updatedb ;-)

This also means that I'm not surprised that you get a "permission
denied" error.

:-)

Did that. My google-fu is really weak but it seems the Nov 17 update
to mlocate was to fix a problem with mlocate/updatedb permissions
related to apparmor,

I'd have to check the details, but I'm quite sure that this update added
the AppArmor profile.

https://bugzilla.opensuse.org/show_bug.cgi?id=1089594

I'm having trouble following the logic of that bug chat as my
knowledge of apparmor is slim to none, especially at 3:30 am here.
What's it say there? 8-/

That bug was about adding the AppArmor profiles (as security
improvement) and, starting at comment 4, that the updatedb profile needs
some capabilities added that weren't part of the initial profile.

Move the file "/etc/apparmor.d/usr.bin.locate" temporarily somewhere
else, restart apparmour, and try again with locate. If it works, open
a bugzilla.

That won't work - reloading apparmor no longer unloads unknown profiles.
You'll need to run aa-remove-unknown - but before you do that, check
the release notes for details and the reason for this change.

Oh!

(well, a reboot would work :-p )

If you really want to disable a profile, use aa-disable, but I don't
recommend that.

Instead, switch the profile to complain (learning) mode with
aa-complain, and after updating the profile, switch it back to enforce
mode with aa-logprof.

Alternative.

Run "aa-logprof", hopefully it says something about something in
locate being denied and gives you the chance to allow it.

Exactly, aa-logprof will help to update the profile easily.

I use that often.

--
Cheers / Saludos,

Carlos E. R.
(from 42.3 x86_64 "Malachite" at Telcontar)

< Previous Next >