Mailinglist Archive: opensuse-support (97 mails)

< Previous Next >
Re: [opensuse-support] updatedb now fails for regular user with local db
  • From: Ralph <suselist@xxxxxxxxxxxx>
  • Date: Tue, 27 Nov 2018 17:00:07 -0600
  • Message-id: <20181127170007.5fbab36b@dellT3620>
On Tue, 27 Nov 2018 19:43:32 +0100
Christian Boltz <opensuse@xxxxxxxxx> wrote:

I didn't understand the options in aa-logprof so I followed your
manual
instructions:

What exactly in aa-logprof was hard to understand? I'm always open
for improvements ;-)

Probably nothing at all wrong with your prog, but I did not have time
to read the man page yet. I was shown a list of profiles (3?), one with
wildcards, and had no idea which one even to deal with, or maybe it was
all 3 to be worked. I also tried the gui version of it with same "what
do I do here" result.

That said, you can also update the profiles manually:
[...]
Then run rcapparmor reload and everything should work as
expected.
This didn't work. The messages are now gone from aa-logprof, but
running:

"updatedb -l 0 -o /home/rsil/Downloads/rsildb -U /home/rsil"

...still gives me the message:

"updatedb: can not open a temporary file for
`/home/rsil/Downloads/rsildb'"

I checked my entries for any typos but all is good there...?

Maybe you need additional permissions I didn't guess from just
reading and adjusting the profiles.

Start tail -f /var/log/audit/audit.log as root and try updatedb
again. You'll probably get some log entries - just paste them (in
your next mail or paste.opensuse.org, depending on the size) so that
I can see what's going on.

The paste is at: http://paste.opensuse.org/d3ec73bc

You can/should also run
aa-complain /etc/apparmor.d/usr.bin.updatedb to switch the profile to
learning mode so that we see everything that would be denied instead
of only the first issue. Don't forget to switch the profile back to
enforce mode with aa-enforce when it's updated ;-)

No opportunity for this yet...

Just to be sure, even if if sounds unlikely - did you check the owner
and directory permissions of /home/rsil/Downloads/ and the owner and
permissions of the existing "rsildb*" file(s)? If the filesystem
permissions deny access, AppArmor won't change anything ;-)

Entire /home/rsil is restricted to owner, rw(x). No rights/access to
group or others. The db is -rw------- and the directories path to it
are all drwx------.

Thanks for the assistance.

Ralph
--
To unsubscribe, e-mail: opensuse-support+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-support+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups