Updatedb triggers selinux warning

Recently updatedb (from mlocate) is triggering selinux warnings. That’s pretty annoying. Does anybody else experience these issues? Attached the message I get from sealert.

SELinux is preventing updatedb from search access on the directory dma_heap.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that updatedb should be allowed search access on the dma_heap directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
# semodule -X 300 -i my-updatedb.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Context                system_u:object_r:dma_device_t:s0
Target Objects                dma_heap [ dir ]
Source                        updatedb
Source Path                   updatedb
Port                          <Unknown>
Host                          laptop
Source RPM Packages       
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-34.9-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.9-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     laptop
Platform                      Linux laptop 5.12.9-300.fc34.x86_64 #1 SMP Thu
                              Jun 3 13:51:40 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-06-09 13:59:47 JST
Last Seen                     2021-06-09 14:05:49 JST
Local ID                      946269ac-905d-47d6-b9ed-61923e5b54cd

Raw Audit Messages
type=AVC msg=audit(1623215149.152:1044): avc:  denied  { search } for  pid=8822 comm="updatedb" name="dma_heap" dev="devtmpfs" ino=151 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dma_device_t:s0 tclass=dir permissive=0

Hash: updatedb,unconfined_t,dma_device_t,dir,search



“Do allow this access for now by executing:”

ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
semodule -X 300 -i my-updatedb.pp
1 Like

Thanks, I know how to suppress selinux warnings. setenforce 0 works, too, but I rather not do that.

And I appreciate that you point out a less drastic option.
However, I do not want to add new rules just like that, because I am not sure about the consequences and I do not know whether I should believe that updatedb should be allowed search access .... Checking bugzilla for mlocate and updatedb did not return anything relevant, that’s why I asked here.

1 Like