Bug 1207884

Summary:	systemd hardening breaks mlocate
Product:	[openSUSE] openSUSE Distribution	Reporter:	Carlos Robinson <carlos.e.r>
Component:	Other	Assignee:	Johannes Segitz <jsegitz>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	security-team
Version:	Leap 15.4
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Carlos Robinson 2023-02-03 12:45:42 UTC

See https://bugzilla.opensuse.org/show_bug.cgi?id=1181400#c211

Elesar:~ # locate snd-hda-intel
Elesar:~ # find /lib/modules -type f -name snd-hda-intel\*
/lib/modules/5.14.21-150400.24.41-default/kernel/sound/pci/hda/snd-hda-intel.ko.zst
/lib/modules/5.14.21-150400.24.38-default/kernel/sound/pci/hda/snd-hda-intel.ko.zst
Elesar:~ # 


We thought that the new kernel was missing modules.

 <https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/VAVGAYLAWYL3R7Y6U7IEQZOOKF56W3SX/>

The hack is overriding mlocate.service with:

[Service]
ProtectKernelModules=false

Comment 1 Matthias Gerstner 2023-02-03 13:19:40 UTC

The technical reason for this is that ProtectKernelModules also makes the
kernel module tree inaccessible. The problem in locate thus only extends to
kernel modules.

Comment 2 Johannes Segitz 2023-02-06 09:04:27 UTC

fixed with sc#1063060

Comment 4 Maintenance Automation 2023-10-09 12:28:55 UTC

SUSE-RU-2023:4010-1: An update that has two fixes can now be installed.

Category: recommended (moderate)
Bug References: 1207884, 1209409
Sources used:
openSUSE Leap 15.4 (src): mlocate-0.26-150400.16.6.1
openSUSE Leap 15.5 (src): mlocate-0.26-150400.16.6.1
Basesystem Module 15-SP4 (src): mlocate-0.26-150400.16.6.1
Basesystem Module 15-SP5 (src): mlocate-0.26-150400.16.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.