Recently updatedb (from mlocate) is triggering selinux warnings. That’s pretty annoying. Does anybody else experience these issues? Attached the message I get from sealert.
SELinux is preventing updatedb from search access on the directory dma_heap.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that updatedb should be allowed search access on the dma_heap directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
# semodule -X 300 -i my-updatedb.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context system_u:object_r:dma_device_t:s0
Target Objects dma_heap [ dir ]
Source updatedb
Source Path updatedb
Port <Unknown>
Host laptop
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.9-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.9-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name laptop
Platform Linux laptop 5.12.9-300.fc34.x86_64 #1 SMP Thu
Jun 3 13:51:40 UTC 2021 x86_64 x86_64
Alert Count 2
First Seen 2021-06-09 13:59:47 JST
Last Seen 2021-06-09 14:05:49 JST
Local ID 946269ac-905d-47d6-b9ed-61923e5b54cd
Raw Audit Messages
type=AVC msg=audit(1623215149.152:1044): avc: denied { search } for pid=8822 comm="updatedb" name="dma_heap" dev="devtmpfs" ino=151 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dma_device_t:s0 tclass=dir permissive=0
Hash: updatedb,unconfined_t,dma_device_t,dir,search