F13: SELinux is preventing /usr/bin/updatedb "read" access on My Documents

Daniel B. Thurman dant at cdkkt.com
Fri Oct 1 15:36:35 UTC 2010 

 On 10/01/2010 08:16 AM, Daniel J Walsh wrote:
> On 10/01/2010 10:32 AM, Dan Thurman wrote:
> > I get this often too, how to fix?
>
> > ====================================================================
> > Summary:
>
> > SELinux is preventing /usr/bin/updatedb "read" access on My Documents.
>
> > Detailed Description:
>
> > SELinux denied access requested by updatedb. It is not expected that
> > this access
> > is required by updatedb and this access may signal an intrusion attempt.
> > It is
> > also possible that the specific version or configuration of the
> > application is
> > causing it to require additional access.
>
> > Allowing Access:
>
> > You can generate a local policy module to allow this access - see FAQ
> > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
> file a bug
> > report.
>
> > Additional Information:
>
> > Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
> > Target Context                system_u:object_r:samba_share_t:s0
> > Target Objects                My Documents [ lnk_file ]
> > Source                        updatedb
> > Source Path                   /usr/bin/updatedb
> > Port                          <Unknown>
> > Host                          host.domain.com
> > Source RPM Packages           mlocate-0.22.4-1.fc13
> > Target RPM Packages
> > Policy RPM                    selinux-policy-3.7.19-57.fc13
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Enforcing
> > Plugin Name                   catchall
> > Host Name                     host.domain.com
> > Platform                      Linux host.domain.com
> > 2.6.34.6-54.fc13.i686 #1 SMP
> >                               Sun Sep 5 17:52:31 UTC 2010 i686 i686
> > Alert Count                   130
> > First Seen                    Thu 30 Sep 2010 03:43:09 AM PDT
> > Last Seen                     Fri 01 Oct 2010 03:37:52 AM PDT
> > Local ID                      4ee4e27f-095e-4186-a718-dfeb6cb22169
> > Line Numbers
>
> > Raw Audit Messages
>
> > node=host.domain.com type=AVC msg=audit(1285929472.607:103678): avc:
> > denied  { read } for  pid=22716 comm="updatedb"
> > name=4D7920446F63756D656E7473 dev=sdc3 ino=83907
> > scontext=system_u:system_r:locate_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:samba_share_t:s0 tclass=lnk_file
>
> > node=host.domain.com type=SYSCALL msg=audit(1285929472.607:103678):
> > arch=40000003 syscall=12 success=no exit=-13 a0=9e9c8f9 a1=bfe5b6f0
> > a2=bfe5b8e4 a3=bfe5b6f0 items=0 ppid=22709 pid=22716 auid=0 uid=0 gid=0
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6602
> > comm="updatedb" exe="/usr/bin/updatedb"
> > subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
>
>
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> Did you relabel your homedir as samba_share_t?
No. This came from a mounted NTFS filesystem.  Please
see my response to the smbd error as it explains the situation
regarding defining context='',defaults issue - and by adding
in the ',defaults' it allows SELinux to do enforing/verification
within the NTFS mounted filesystems which is what I wanted
to stop in the first place.  Perhaps a bug on this needs to be
reported such that context='' is a vaild argument instead of
also requiring ',defaults' in order to make it so?

More information about the selinux mailing list