Bugzilla – Bug 1200997
mlocate: Cannot use updatedb --output and locate --database
Last modified: 2022-06-29 12:48:02 UTC
openSUSE has a very strict AppArmor rules that turns a very nice multi-database feature of mlocate to a void. This feature is extremely useful for indexing of removable media. As the database could be an arbitrary file, there are more possibilities to fix: 1) Make possible to access /var/lib/mlocate/*.db and /var/lib/mlocate/*.db.??????. Document, that the database file has to be located in /var/lib/mlocate. + Very safe. - Make impossible to use updatedb by non-root users. 2) Make possible to access any *.db and *.db.??????. - Less safe. .db is a very common file suffix. 3) Change the database files suffix, e. g. to .mlocatedb + Very safe. + Makes possible to use updatedb by non-root users. - Breaking change, requiring rename of databases in custom scripts and LOCATE_PATH. - Needs code change that should be upstreamed. (Suffix change.) Work-around for 1): sed -i 's:/var/lib/mlocate/mlocate.db:/var/lib/mlocate/*.db:' /etc/apparmor.d/usr.bin.updatedb /etc/apparmor.d/usr.bin.locate. systemctl reload apparmor
Actually, I see another possible solution: 4) Make possible to access *mlocate/*.db and *mlocate/*.db.??????. Document, that the database file has to be located in a directory named mlocate. Or also allow .mlocate? + Still very safe. + Make possible to use updatedb by non-root users. - A bit uncomfortable limitation for the allowed path. In any case, the limitation should be documented in both man pages, and maybe even --help (note: The latter would break L10N and it will need to add SUSE specific translation).