Bug 495869

Summary: SELinux denial when running spacewalk-schema-upgrade
Product: Red Hat Satellite 5 Reporter: Milan Zázrivec <mzazrivec>
Component: UpgradesAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Jeff Browning <jbrownin>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: cperry, msuchy
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sat530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-27 17:38:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 456986, 457079    
Attachments:
Description Flags
part of audit.log (selinux permissive) none

Description Milan Zázrivec 2009-04-15 09:28:01 UTC
Created attachment 339658 [details]
part of audit.log (selinux permissive)

Description of problem:
Running spacewalk-schema-upgrade script with SELinux enabled gives a denial.

Version-Release number of selected component (if applicable):
oracle-instantclient-selinux-10.2-8
oracle-nofcontext-selinux-0.1-23.6
oracle-rhnsat-selinux-10.2-10
spacewalk-selinux-0.5.3-1

How reproducible:
Always

Steps to Reproduce:
1. Install Satelite 5.2.0 on RHEL-5, selinux enabled (permissive at least)
2. Install rhn-upgrade, run upgrade to 5.3.0
3. One of the upgrade steps involves running spacewalk-schema-upgrade script
  
Actual results:
See attachment.

Expected results:
No denial.

Additional info:
N/A

Comment 1 Jan Pazdziora 2009-04-21 12:54:59 UTC
Fixed in Spacewalk repo, master and VADER branches; commits 9d63b6a900279c8efb6be60bfdbffd791a59a7f6 and 50f689b774db03181ecd57adf9e6cc893a1d44c2 in VADER.

Comment 2 Jan Pazdziora 2009-04-27 13:12:49 UTC
Packages spacewalk-selinux-0.5.3-2.el5sat and spacewalk-schema-0.5.20-8.el5sat are on compose Satellite-5.3.0-RHEL5-re20090424.1, moving ON_QA.

Comment 3 Jeff Browning 2009-07-07 18:44:01 UTC
No SELinux denials encountered during the upgrade process from 520 to 530.

Verified.

Comment 4 Miroslav Suchý 2009-08-27 09:47:15 UTC
after upgrade I got in audit.log only
[root@xen15 ~]# grep denied /var/log/audit/audit.log |grep sqlplus
type=AVC msg=audit(1251295477.026:1205): avc:  denied  { search } for  pid=21841 comm="sqlplus" name="Satellite-5.3.0-RHEL5-re20090820.1-x86_64" dev=0:17 ino=3458192 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1251295477.070:1206): avc:  denied  { search } for  pid=21841 comm="sqlplus" name="mnt" dev=xvda1 ino=281953 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=AVC msg=audit(1251296580.263:1214): avc:  denied  { search } for  pid=21841 comm="sqlplus" name="Satellite-5.3.0-RHEL5-re20090820.1-x86_64" dev=0:17 ino=3458192 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

which may be leaked screen file descriptors. but the message in #0 is definitely not there. 
verified in stage on xen15

Comment 5 Brandon Perkins 2009-08-27 17:38:22 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1235.html