updatedb (locate_t) "read" fusefs_t.

Miroslav Grepl mgrepl at redhat.com
Wed Jan 13 15:22:12 UTC 2010 

On 01/13/2010 02:42 PM, Arthur Dent wrote:
> Hello All,
>
> I have a NTFS partition mounted by fstab at boot time on my F11 system.
> Recently I have been getting screeds and screeds of AVCs each time
> updatedb runs (daily) - See below for an example.
>
> A bit of googling revealed Bug 549602
> https://bugzilla.redhat.com/show_bug.cgi?id=549602 which seems similar.
>
> Although fixed, it relates to F12. Unless I have missed something (quite
> probable) I can't see a similar fix for F11.
>
> My questions are therefore:
> 1) Is there a similar fix for F11?
>    
Not yet.

> 2) Will that solve my problem?
> 3) If not, what should I do?
>
>    
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

> I am running:
> selinux-policy-targeted-3.6.12-92.fc11.noarch
> selinux-policy-3.6.12-92.fc11.noarch
>
> Thanks in advance
>
> Mark
>
> ======================8<=================================================
>
>
> Summary:
>
> SELinux is preventing updatedb (locate_t) "read" fusefs_t.
>
> Detailed Description:
>
> SELinux denied access requested by updatedb. It is not expected that this access
> is required by updatedb and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:fusefs_t:s0
> Target Objects                /mnt/ntfs/Users/Mark/Cookies [ lnk_file ]
> Source                        updatedb
> Source Path                   /usr/bin/updatedb
> Port<Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           mlocate-0.22-1
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.12-92.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
>                                2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24
>                                16:41:17 UTC 2009 i686 i686
> Alert Count                   3
> First Seen                    Mon 11 Jan 2010 09:22:03 GMT
> Last Seen                     Wed 13 Jan 2010 08:27:02 GMT
> Local ID                      f5c7a401-052c-4149-b79c-d5bef7725b9d
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1263371222.110:58): avc:  denied  { read } for  pid=4574 comm="updatedb" name="Cookies" dev=sda3 ino=86736 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file
>
> node=localhost.localdomain type=SYSCALL msg=audit(1263371222.110:58): arch=40000003 syscall=12 success=no exit=-13 a0=8e1e6f9 a1=bfcd3510 a2=bfcd36f4 a3=bfcd3510 items=0 ppid=4568 pid=4574 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

More information about the selinux mailing list