Bug 1264533
| Summary: | Oracle Grid 12c Failed to stat() POSIX shared memory segment | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Yeisley <dyeisley> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | dyeisley, fdanapfe, lvrabec, martin.marques, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tbowling, tmichael, troels | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-12-03 16:00:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Daniel Yeisley
2015-09-18 17:36:35 UTC
Daniel, any chance to test it with permissive mode if we can get more AVCs? Created attachment 1075542 [details]
selinux error log
I generated the attached log with the following command: /sbin/ausearch --input-logs -sv no -m AVC -m USER_AVC -m SELINUX_ERR
Do you know what process creates /dev/shm/ora_+ASM2_223477764_257? Does everything work if you add a local policy? Re-tets in permissive and run #setenforce 1;setenforce 0 #ausearch -m avc -ts recent |audit2allow -M mypol #semodule -i mypol.pp Thank you. This issue is related to a change made to systemd. * logind will now automatically remove all IPC objects owned by a user if she or he fully logs out. This makes sure that users who are logged out cannot continue to consume IPC resources. This covers SysV memory, semaphores and message queues as well as POSIX shared memory and message queues. Traditionally SysV and POSIX IPC had no life-cycle limits, with this functionality this is corrected. This may be turned off using the RemoveIPC= switch of logind.conf. I added the switch mentioned in the changelog and restarted the logind service. I installed Oracle 12c Grid and Oracle 12c database and started a stress test against it. I don't see any complaints in /var/log/messages or selinux issues. [root@localhost ~]# ausearch -m avc -ts recent <no matches> [root@localhost ~]# grep POSIX /var/log/messages Sep 30 17:03:14 veritas5 systemd: Mounted POSIX Message Queue File System. [root@localhost ~]# (In reply to Daniel Yeisley from comment #5) > This issue is related to a change made to systemd. > > * logind will now automatically remove all IPC objects owned > by a user if she or he fully logs out. This makes sure that > users who are logged out cannot continue to consume IPC > resources. This covers SysV memory, semaphores and message > queues as well as POSIX shared memory and message > queues. Traditionally SysV and POSIX IPC had no life-cycle > limits, with this functionality this is corrected. This may > be turned off using the RemoveIPC= switch of logind.conf. > > I added the switch mentioned in the changelog and restarted the logind > service. > > I installed Oracle 12c Grid and Oracle 12c database and started a stress > test against it. I don't see any complaints in /var/log/messages or selinux > issues. > > [root@localhost ~]# ausearch -m avc -ts recent > <no matches> > [root@localhost ~]# grep POSIX /var/log/messages > Sep 30 17:03:14 veritas5 systemd: Mounted POSIX Message Queue File System. > [root@localhost ~]# So if I understand correctly you are not able to reproduce it again, right? (In reply to Miroslav Grepl from comment #6) > (In reply to Daniel Yeisley from comment #5) > > This issue is related to a change made to systemd. > > > > * logind will now automatically remove all IPC objects owned > > by a user if she or he fully logs out. This makes sure that > > users who are logged out cannot continue to consume IPC > > resources. This covers SysV memory, semaphores and message > > queues as well as POSIX shared memory and message > > queues. Traditionally SysV and POSIX IPC had no life-cycle > > limits, with this functionality this is corrected. This may > > be turned off using the RemoveIPC= switch of logind.conf. > > > > I added the switch mentioned in the changelog and restarted the logind > > service. > > > > I installed Oracle 12c Grid and Oracle 12c database and started a stress > > test against it. I don't see any complaints in /var/log/messages or selinux > > issues. > > > > [root@localhost ~]# ausearch -m avc -ts recent > > <no matches> > > [root@localhost ~]# grep POSIX /var/log/messages > > Sep 30 17:03:14 veritas5 systemd: Mounted POSIX Message Queue File System. > > [root@localhost ~]# > > So if I understand correctly you are not able to reproduce it again, right? If I set "RemoveIPC=yes" in /etc/systemd/logind.conf with selinux=enforcing then yes I can reproduce it. Setting "RemoveIPC=no" makes it go away. I think what this requires is documentation. Oracle Grid users should set the RemoveIPC=no in /etc/systemd/logind.conf. Yes we need to have fixes for this option. But how is Oracle 12c Grid started? (In reply to Miroslav Grepl from comment #8) > Yes we need to have fixes for this option. > > But how is Oracle 12c Grid started? I guess I don't understand what needs to be fixed. As long as RemoveIPC=no is set then there is no issue. I'm ready to close this as NOTABUG. (In reply to Daniel Yeisley from comment #9) > (In reply to Miroslav Grepl from comment #8) > > Yes we need to have fixes for this option. > > > > But how is Oracle 12c Grid started? > > I guess I don't understand what needs to be fixed. As long as RemoveIPC=no > is set then there is no issue. I'm ready to close this as NOTABUG. My point is it could happen also for another cases if RemoveIPC=Yes is used. (In reply to Miroslav Grepl from comment #10) > (In reply to Daniel Yeisley from comment #9) > > (In reply to Miroslav Grepl from comment #8) > > > Yes we need to have fixes for this option. > > > > > > But how is Oracle 12c Grid started? > > > > I guess I don't understand what needs to be fixed. As long as RemoveIPC=no > > is set then there is no issue. I'm ready to close this as NOTABUG. > > My point is it could happen also for another cases if RemoveIPC=Yes is used. Yes, SAP sw also uses POSIX shared memory segments extensively, therefore having them removed automatically when the user running the SAP processes logs out will hurt customers running SAP as well. Since this is a change from previous RHEL releases I would say this is a reression ant therefore should be fixed asap. This looks to be the same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1284588 There have now also been reports from customers running SAP software on RHEL7 that after upgrading to RHEL 7.2 their SAP installations are broken because of this, therefore this change should be reverted asap. (In reply to Frank Danapfel from comment #12) > This looks to be the same issue as > https://bugzilla.redhat.com/show_bug.cgi?id=1284588 > > There have now also been reports from customers running SAP software on > RHEL7 that after upgrading to RHEL 7.2 their SAP installations are broken > because of this, therefore this change should be reverted asap. Yes, they appear to be the same issue. I got around it by setting RemoveIPC=no in /etc/systemd/logind.conf and restarting the service. OK, looks like a Z-Stream fix is on the way: https://bugzilla.redhat.com/show_bug.cgi?id=1286031 can possibly close this as a duplicate of bz1284588 ? (In reply to Terry Bowling from comment #15) > can possibly close this as a duplicate of bz1284588 ? Yes. *** This bug has been marked as a duplicate of bug 1284588 *** |