Re: [opensuse-support] updatedb now fails for regular user with local db

Am Mittwoch, 28. November 2018, 14:27:06 CET schrieb Ralph:
On Wed, 28 Nov 2018 12:44:11 +0100
Christian Boltz <opensuse@xxxxxxxxx> wrote:
(My guess is that you might have a backup copy of the original
profile, which gets loaded after the updated profile and replaces
Well, very very good "guessing", you nailed it perfectly.

Well, let's say I didn't have to guess that for the first time ;-)

dellT3620:~> grep -r /usr/bin/updatedb /etc/apparmor.d/
/etc/apparmor.d/usr.bin.updatedb.orig:/usr/bin/updatedb {
/etc/apparmor.d/usr.bin.updatedb.orig: /usr/bin/updatedb mr,
/etc/apparmor.d/usr.bin.updatedb:/usr/bin/updatedb {
/etc/apparmor.d/usr.bin.updatedb: /usr/bin/updatedb mr,

Moving the .orig backup file elsewhere, and doing the same for
locate.orig file, then another "rcapparmor reload", and all is
seemingly back to normal, update and locate both work fine on the
local db.

I'm happy to hear that :-)

I guess I am going to have to change my method of naming
backup copies of edited system files :-/

For AppArmor profiles, the best strategy is to move them out of
/etc/apparmor.d/ (actually I'd recommend that for all /etc/whatever.d/

Since Carlos asked - suffixes that get ignored by the AppArmor tools
(aa-logprof etc.) are: skippable_suffix = (
'.dpkg-new', '.dpkg-old', '.dpkg-dist', '.dpkg-bak', '.dpkg-remove',
'.pacsave', '.pacnew',
'.rpmnew', '.rpmsave',
'.orig', '.rej',

libapparmor (and apparmor_parser, if you give a directory as parameter)
also ignores these suffixes.

However, you accidently found a bug ;-) - the script that loads the
profiles doesn't ignore *.orig and *.rej files. I just submitted
so that the next maintenance release will fix this.

(As a sidenote - if you'd have used a not-ignored extension for your
backup file, aa-logprof would have complained about having two profiles
for the same program.)


Christian Boltz
