Bug 1258563
Summary: | AVC denied with package oracle-xe-selinux | ||
---|---|---|---|
Product: | [Community] Spacewalk | Reporter: | Pavel Studeník <pstudeni> |
Component: | Installation | Assignee: | Tomáš Kašpárek <tkasparek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat Satellite QA List <satqe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 2.3 | CC: | lhellebr |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-16 13:09:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1484117 |
>> audit2allow < oracle.audit.log #============= oracle_db_t ============== allow oracle_db_t ld_so_cache_t:file execute; allow oracle_db_t oracle_db_log_t:file execute; allow oracle_db_t tmpfs_t:file execute; allow oracle_db_t zero_device_t:chr_file execute; #============= oracle_lsnrctl_t ============== allow oracle_lsnrctl_t oracle_tnslsnr_t:process { siginh rlimitinh noatsecure }; #============= oracle_sqlplus_t ============== allow oracle_sqlplus_t oracle_db_t:process { siginh rlimitinh noatsecure }; #============= oracle_tnslsnr_t ============== allow oracle_tnslsnr_t http_cache_port_t:tcp_socket name_bind; #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, oracle_snmp_support allow oracle_tnslsnr_t snmp_port_t:tcp_socket name_connect; >> make -f /usr/share/selinux/devel/Makefile Compiling targeted oracle-xe module oracle-xe.te:66: Warning: mcs_ptrace_all() has been deprecated, please remove mcs_constrained() instead. oracle-xe.te:78: Warning: corecmd_exec_ls() has been deprecated, please use corecmd_exec_bin() instead. /usr/bin/checkmodule: loading policy configuration from tmp/oracle-xe.tmp oracle-xe.te:42:ERROR 'unknown type ld_so_cache_t' at token ';' on line 3305: allow oracle_db_t ld_so_cache_t:file execute; #============= oracle_db_t ============== /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/share/selinux/devel/include/Makefile:154: recipe for target 'tmp/oracle-xe.mod' failed make: *** [tmp/oracle-xe.mod] Error 1 fix https://github.com/Pajinek/spacewalk/commit/18f9d294799e35f37d3603f5a2b312651a79ded7 # diff oracle-xe.te oracle-xe.te.new -u --- oracle-xe.te 2015-06-16 21:20:38.000000000 +0200 +++ oracle-xe.te.new 2015-08-31 18:19:14.441896530 +0200 @@ -15,6 +15,9 @@ type lib_t; type bin_t; type rhnsd_conf_t; + type ld_so_cache_t; + type zero_device_t; + type snmp_port_t; } rw_files_pattern(oracle_db_t, oracle_sqlplus_log_t, oracle_sqlplus_log_t) @@ -37,9 +40,32 @@ allow oracle_db_t self:process ptrace; + +#============= oracle_db_t ============== +allow oracle_db_t ld_so_cache_t:file execute; +allow oracle_db_t oracle_db_log_t:file execute; +allow oracle_db_t tmpfs_t:file execute; +allow oracle_db_t zero_device_t:chr_file execute; + +#============= oracle_lsnrctl_t ============== +allow oracle_lsnrctl_t oracle_tnslsnr_t:process { siginh rlimitinh noatsecure }; + +#============= oracle_sqlplus_t ============== +allow oracle_sqlplus_t oracle_db_t:process { siginh rlimitinh noatsecure }; + +#============= oracle_tnslsnr_t ============== +allow oracle_tnslsnr_t http_cache_port_t:tcp_socket name_bind; + +#!!!! This avc can be allowed using one of the these booleans: +# nis_enabled, oracle_snmp_support +allow oracle_tnslsnr_t snmp_port_t:tcp_socket name_connect; + + + term_dontaudit_use_console(oracle_db_t) term_dontaudit_use_console(oracle_tnslsnr_t) # make -f /usr/share/selinux/devel/Makefile -B /usr/share/selinux/devel/include/kernel/corenetwork.if:74576: Error: duplicate definition of corenet_tcp_sendrecv_oracle_port(). Original definition on 183. /usr/share/selinux/devel/include/kernel/corenetwork.if:74704: Error: duplicate definition of corenet_tcp_bind_oracle_port(). Original definition on 207. /usr/share/selinux/devel/include/kernel/corenetwork.if:74763: Error: duplicate definition of corenet_tcp_connect_oracle_port(). Original definition on 231. /usr/share/selinux/devel/include/kernel/corenetwork.if:105980: Error: duplicate definition of corenet_dontaudit_tcp_connect_snmp_port(). Original definition on 255. Compiling targeted oracle-xe module oracle-xe.te:43: Warning: mcs_ptrace_all() has been deprecated, please remove mcs_constrained() instead. oracle-xe.te:55: Warning: corecmd_exec_ls() has been deprecated, please use corecmd_exec_bin() instead. /usr/bin/checkmodule: loading policy configuration from tmp/oracle-xe.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/oracle-xe.mod Creating targeted oracle-xe.pp policy package rm tmp/oracle-xe.mod.fc tmp/oracle-xe.mod *** Bug 1257574 has been marked as a duplicate of this bug. *** Fix in spacewalk 2.4 This BZ closed some time during 2.5, 2.6 or 2.7. Adding to 2.7 tracking bug. |
Description of problem: I tried to install spacewalk with oracle, but I can't. I got avc messages in audit.log during configuration of oracle database. Version-Release number of selected component (if applicable): oracle-xe-11.2.0-1.0.x86_64 How reproducible: always on Fedora 21/22 Steps to Reproduce: 1. try to install oracle-xe Actual results: >> /etc/init.d/oracle-xe configure Oracle Database 11g Express Edition Configuration ------------------------------------------------- This will configure on-boot properties of Oracle Database 11g Express Edition. The following questions will determine whether the database should be starting upon system boot, the ports it will use, and the passwords that will be used for database accounts. Press <Enter> to accept the defaults. Ctrl-C will abort. Specify the HTTP port that will be used for Oracle Application Express [8080]: Specify a port that will be used for the database listener [1521]: Specify a password to be used for database accounts. Note that the same password will be used for SYS and SYSTEM. Oracle recommends the use of different passwords for each database account. This can be done after initial configuration: Confirm the password: Do you want Oracle Database 11g Express Edition to be started on boot (y/n) [y]: Starting Oracle Net Listener...Done Configuring database... Database Configuration failed. Look into /u01/app/oracle/product/11.2.0/xe/config/log for details Additional info: type=AVC msg=audit(1441034977.975:938): avc: denied { rlimitinh } for pid=14635 comm="tnslsnr" scontext=unconfined_u:system_r:oracle_lsnrctl_t:s0 tcontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tclass=process permissive=1 type=AVC msg=audit(1441034977.975:939): avc: denied { siginh } for pid=14635 comm="tnslsnr" scontext=unconfined_u:system_r:oracle_lsnrctl_t:s0 tcontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tclass=process permissive=1 type=AVC msg=audit(1441034977.975:940): avc: denied { noatsecure } for pid=14635 comm="tnslsnr" scontext=unconfined_u:system_r:oracle_lsnrctl_t:s0 tcontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tclass=process permissive=1 type=AVC msg=audit(1441034978.471:941): avc: denied { name_connect } for pid=14635 comm="tnslsnr" dest=199 scontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tcontext=system_u:object_r:snmp_port_t:s0 tclass=tcp_socket permissive=1 type=USER_START msg=audit(1441034978.491:947): pid=14639 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="oracle" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1441034978.767:948): avc: denied { rlimitinh } for pid=14651 comm="orapwd" scontext=unconfined_u:system_r:oracle_sqlplus_t:s0 tcontext=unconfined_u:system_r:oracle_db_t:s0 tclass=process permissive=1 type=AVC msg=audit(1441034978.767:949): avc: denied { siginh } for pid=14651 comm="orapwd" scontext=unconfined_u:system_r:oracle_sqlplus_t:s0 tcontext=unconfined_u:system_r:oracle_db_t:s0 tclass=process permissive=1 type=AVC msg=audit(1441034978.767:950): avc: denied { noatsecure } for pid=14651 comm="orapwd" scontext=unconfined_u:system_r:oracle_sqlplus_t:s0 tcontext=unconfined_u:system_r:oracle_db_t:s0 tclass=process permissive=1 type=AVC msg=audit(1441034978.777:951): avc: denied { execute } for pid=14652 comm="oracle" path="/etc/ld.so.cache" dev="dm-0" ino=131880 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1 type=AVC msg=audit(1441034981.326:952): avc: denied { execute } for pid=14652 comm="oracle" path=2F535953566330613539343434202864656C6574656429 dev="tmpfs" ino=32768 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1441034981.604:953): avc: denied { execute } for pid=14652 comm="oracle" path="/u01/app/oracle/product/11.2.0/xe/dbs/hc_XE.dat" dev="dm-0" ino=265366 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:oracle_db_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1441034981.671:954): avc: denied { execute } for pid=14652 comm="oracle" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1441034982.305:955): avc: denied { execute } for pid=14705 comm="oracle" path="/u01/app/oracle/product/11.2.0/xe/dbs/hc_XE.dat" dev="dm-0" ino=265366 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:oracle_db_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1441034983.331:956): avc: denied { execute } for pid=14711 comm="oracle" path=2F535953566330613539343434202864656C6574656429 dev="tmpfs" ino=32768 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1441034983.337:957): avc: denied { execute } for pid=14711 comm="oracle" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1441035047.068:958): avc: denied { name_bind } for pid=14635 comm="tnslsnr" src=8080 scontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1