Bug 488699

Summary: AVCs during 20090227.1 installation
Product: Red Hat Satellite 5 Reporter: Jan Hutař <jhutar>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Hutař <jhutar>
Severity: medium Docs Contact:
Priority: medium    
Version: 530CC: cperry, mzazrivec
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sat530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 19:12:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 493629    
Bug Blocks: 457079    
Attachments:
Description Flags
audit.log (also processed by audit2allow and audit2why) none

Description Jan Hutař 2009-03-05 09:40:51 UTC 
Created attachment 334114 [details]
audit.log (also processed by audit2allow and audit2why)

Description of problem:
During Satellite-5.3.0-RHEL5-re20090227.1/i386 installation on RHEL5-Server-U3 some AVCs appeared in the audit.log.


Version-Release number of selected component (if applicable):
Satellite-5.3.0-RHEL5-re20090227.1/i386


How reproducible:
probably always


Steps to Reproduce:
1. /mnt/redhat/devel/candidate-trees/Satellite-5.3.0-RHEL5-re20090227.1/i386/i386//install.pl --answer-file=/mnt/tests/CoreOS/RHN-Satellite/Installer/Sanity/install/answers.txt --non-interactive --disconnected --run-updater


Actual results:
#============= load_policy_t ==============
allow load_policy_t initrc_t:fifo_file write;

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t etc_runtime_t:file { read getattr };
allow oracle_sqlplus_t nfs_t:dir search;

#============= oracle_tnslsnr_t ==============
allow oracle_tnslsnr_t initrc_t:fifo_file { read write };

#============= osa_dispatcher_t ==============
allow osa_dispatcher_t etc_runtime_t:file { read getattr };

#============= setfiles_t ==============
allow setfiles_t rpm_script_t:fifo_file write;

#============= spacewalk_monitoring_t ==============
allow spacewalk_monitoring_t initrc_t:fifo_file { read write ioctl getattr };


Expected results:
no AVCs


Additional info:
noted in RHTS job:
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=48979
Comment 1 Jan Pazdziora 2009-04-06 12:51:23 UTC 
The load_policy_t and setfiles_t issues addressed in 4ac8e4589ccef0d1b54236d7096f030fca4b5244.

The spacewalk_monitoring_t initrc_t:fifo_file addressed in 883d0398abac9155216864c8e62cfd4e6ec39a55.

The oracle_sqlplus_t nfs_t:dir search issue -- I am not exactly sure where it comes from.

The oracle_tnslsnr_t initrc_t:fifo_file -- again, not exactly sure.

The etc_runtime_t is strange -- I never saw /etc/tnsnames.ora created with this type.

I just tried installation of Satellite-5.3.0-RHEL5-re20090403.2 on i386 and reboot and did not get any AVCs.
Comment 2 Jan Pazdziora 2009-04-10 12:52:17 UTC 
As also noted in bug 493629, the etc_runtime_t AVC denial seems to be caused by the way the RHTS automation tests are started -- as initrc_t, not as unconfined_t.
Comment 3 Jan Pazdziora 2009-04-10 12:54:27 UTC 
The other AVC denials were either addressed or I was not able to reproduce them. Moving to MODIFIED for now, as soon as RHTS is changed to run ./install.pl as unconfined_t, we should be able to move ON_QA to re-test.
Comment 4 Jan Pazdziora 2009-04-15 07:25:20 UTC 
Moving ON_QA, as Jan H. noted in bug 493629 comment 6 that RHTS now uses runcon.
Comment 5 Jan Hutař 2009-04-16 12:34:36 UTC 
Thanks to jpazdziora I have fixed the test and now satellite installs correctly, closing this one.
Comment 6 Jan Pazdziora 2009-04-16 13:23:03 UTC 
Could you make the bugzilla VERIFIED then? We don't want this issue to disappear in the NOTABUG pile as the problem might reappear and by having it not CLOSED, it will be more visible.
Comment 7 Jan Hutař 2009-04-17 07:13:29 UTC 
Sorry, done.
Comment 8 Milan Zázrivec 2009-09-02 11:32:28 UTC 
Verified with last stage iso, no denials -> RELEASE_PENDING
Comment 9 Brandon Perkins 2009-09-10 19:12:17 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html