- Code: Select all
grsec: (root:U:/etc/cron.daily) denied create of /var/lib/mlocate/daily.lock for writing by /bin/touch[touch:2970] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/mlocate[mlocate:2968] uid/euid:0/0 gid/egid:0/0
Here's the relevant parts of the subject (lots of objects that aren't relevant omitted):
- Code: Select all
# Role: root
subject /etc/cron.daily odspkA {
user_transition_allow man debian-spamd
group_transition_allow man debian-spamd
/
/bin rxi
/lib rxi
/lib/modules h
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/sbin
/sbin/runlevel xi
/sbin/start-stop-daemon xi
/sbin/killall5 xi
/srv
/usr
/usr/bin rxi
/usr/include
/usr/include/libxml2
/usr/lib rxi
/usr/local/lib/mod_security2.so rxi
/usr/sbin rxi
/usr/share r
/var
/var/backups rwcd
/var/cache w
/var/cache/apache2
/var/cache/apt rwcda
/var/cache/man
/var/lib r
/var/lib/dpkg rw
/var/lib/ghostscript
/var/lib/imapproxy
/var/lib/logrotate
/var/lib/logrotate/status rw
/var/lib/mlocate
/var/lib/mlocate/daily.lock wcd
/var/lib/mlocate/mlocate.db* rwcd
/etc/cron.daily/mlocate itself contains:
- Code: Select all
#! /bin/bash
set -e
[ -x /usr/bin/updatedb.mlocate ] || exit 0
if which on_ac_power >/dev/null 2>&1; then
ON_BATTERY=0
on_ac_power >/dev/null 2>&1 || ON_BATTERY=$?
if [ "$ON_BATTERY" -eq 1 ]; then
exit 0
fi
fi
##
LOCKFILE="/var/lib/mlocate/daily.lock"
trap "rm -f $LOCKFILE" EXIT
if [ -e "$LOCKFILE" ]; then
echo >&2 "Warning: $LOCKFILE present, not running updatedb."
exit 1
else
touch "$LOCKFILE"
fi
##
# See ionice(1)
if [ -x /usr/bin/ionice ] &&
/usr/bin/ionice -c3 true 2>/dev/null; then
IONICE="/usr/bin/ionice -c3"
fi
$IONICE /usr/bin/updatedb.mlocate
So /bin/touch has xi, so it should be inheriting the policy, which includes create access for /var/lib/mlocate/daily.lock
Do I need read to allow for create?