Bug 178217

Summary: su prompts for security context, causing Oracle startup to fail
Product: Red Hat Enterprise Linux 4 Reporter: Bevis King <brwk>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-11 18:07:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/init.d script for Oracle 10g none

Description Bevis King 2006-01-18 17:10:59 UTC
Description of problem:
Since the latest update (U2), having SELinux enabled on RHEL4 causes the su
command to issue the following interactive challenge:

su
Password:
Your default context is root:system_r:unconfined_t.

Do you want to choose a different one? [n]

This appears to be causing the su - oracle action of the Oracle 10g dbora
startup script in /etc/init.d/ to hang waiting for an interactive response.
This means that after the update, the Oracle 10g database no longer restarts
after a reboot, instead hanging indefinitely (overnight at least) in the init
script.

Initial investigations seemed to suggest a -Z or --context= option to su would
proactively provide the required info and would resolve the issue.  The current
version of su (coreutils-5.2.1-31.2) for RHEL4 does not support this option.

Version-Release number of selected component (if applicable):
coreutils-5.2.1-31.2
kernel-2.6.9-22
selinux-policy-targeted-1.17.30-2.110

sestatus
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted


How reproducible:
Every time.

Steps to Reproduce:
1.  reboot system - /etc/init.d/dbora will hang indefinitely
2.
3.
  
Actual results:
Oracle 10g database fails to start since update.

Expected results:
Oracle 10g database starts as previously.

Additional info:
Appropriate dbora script will be attached.

Comment 1 Bevis King 2006-01-18 17:10:59 UTC
Created attachment 123388 [details]
/etc/init.d script for Oracle 10g

Comment 2 Daniel Walsh 2006-01-18 19:16:41 UTC
They should be using runuser instead of su.

You can also remove the multiple field from /etc/pam.d/su file.



Comment 3 Bevis King 2006-06-28 14:47:27 UTC
Switching to runuser has resolved the problem.  Did this get fed back to Oracle
or do you wish me to raise a TAR with them?

Regards, Bevis.