Bug 1029894
| Summary: | getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir' after upgrade to glibc-2.12-1.132.el6.x86_64 | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Jan Hutař <jhutar> | |
| Component: | Server | Assignee: | Michael Mráka <mmraka> | |
| Status: | CLOSED ERRATA | QA Contact: | Jiří Mikulka <jmikulka> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 560 | CC: | cperry, jmikulka, jpazdziora, tlestach | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1031387 1043410 (view as bug list) | Environment: | ||
| Last Closed: | 2013-12-04 15:42:20 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1031387 | |||
| Bug Blocks: | 924189, 1043410 | |||
SYSCALL generated together with AVC: type=SYSCALL msg=audit(1384353538.383:6728): arch=c000003e syscall=2 per=400000 success=no exit=-13 a0=7fa5c93d82b8 a1=80000 a2=1ffffd44d7d7 a3=4 items=0 ppid=1 pid=6995 auid=4294967295 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="oracle" exe="/opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle" subj=unconfined_u:system_r:oracl Fixed in spacewalk master by
commit 6aa92f5df543de175fcd46a88f7e4b67d1988fa2
1029894 - allow oracle read sysfs
Just noted this message as well on 5.6.0 with embedded PostgreSQL:
time->Thu Nov 14 21:55:27 2013
type=SYSCALL msg=audit(1384484127.268:573): arch=c000003e syscall=2 success=no exit=-13 a0=7f18c9ad52b8 a1=80000 a2=2803ff a3=7f1897fff9d0 items=0 ppid=1 pid=27689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384484127.268:573): avc: denied { search } for pid=27689 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
In some very rare cases I do see similar AVC generated by cobbler as well:
time->Sun Nov 17 17:04:05 2013
type=SYSCALL msg=audit(1384725845.423:561): arch=c000003e syscall=2 success=no exit=-13 a0=7faf000582b8 a1=80000 a2=2803ff a3=7faeeabfd9d0 items=0 ppid=1 pid=18537 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384725845.423:561): avc: denied { search } for pid=18537 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
When in Permissive, these AVCs got recorded:
type=AVC msg=audit(1384760968.366:1448): avc: denied { search } for pid=19262 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1384760968.366:1448): avc: denied { read } for pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1384760968.366:1448): avc: denied { open } for pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
And inode 23 is:
/sys/devices/system/cpu/online
which contains:
# cat /sys/devices/system/cpu/online
0-31
and really, I'm on system with 32 processors:
# cat /proc/cpuinfo | grep ^processor | wc -l
32
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1782.html |
Description of problem: After upgrade of RHEL-6.4 with Satellite 5.5.0 installed to glibc-2.12-1.132.el6.x86_64, I started to getting one AVC each ~ 5 - 10 seconds. Also seen on 5.4.1, but not on 5.6.0. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-195.el6_4.18.noarch glibc-2.12-1.132.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Take RHEL 6.4, install Satellite 5.5.0 with embedded Oracle DB on it 2. Upgrade to glibc-2.12-1.132.el6.x86_64 and restart Satellite Actual results: Each ~ 5 - 10 seconds this SELinux AVC message is generated: type=AVC msg=audit(1384348955.069:2073): avc: denied { search } for pid=9003 comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir # ps 9003 PID TTY STAT TIME COMMAND 9003 ? Ss 0:00 ora_mmnl_rhnsat Expected results: No AVCs should be generated