Bug 495869
Summary: | SELinux denial when running spacewalk-schema-upgrade | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Satellite 5 | Reporter: | Milan Zázrivec <mzazrivec> | ||||
Component: | Upgrades | Assignee: | Jan Pazdziora <jpazdziora> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Jeff Browning <jbrownin> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 530 | CC: | cperry, msuchy | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | sat530 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-08-27 17:38:22 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 456986, 457079 | ||||||
Attachments: |
|
Fixed in Spacewalk repo, master and VADER branches; commits 9d63b6a900279c8efb6be60bfdbffd791a59a7f6 and 50f689b774db03181ecd57adf9e6cc893a1d44c2 in VADER. Packages spacewalk-selinux-0.5.3-2.el5sat and spacewalk-schema-0.5.20-8.el5sat are on compose Satellite-5.3.0-RHEL5-re20090424.1, moving ON_QA. No SELinux denials encountered during the upgrade process from 520 to 530. Verified. after upgrade I got in audit.log only [root@xen15 ~]# grep denied /var/log/audit/audit.log |grep sqlplus type=AVC msg=audit(1251295477.026:1205): avc: denied { search } for pid=21841 comm="sqlplus" name="Satellite-5.3.0-RHEL5-re20090820.1-x86_64" dev=0:17 ino=3458192 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1251295477.070:1206): avc: denied { search } for pid=21841 comm="sqlplus" name="mnt" dev=xvda1 ino=281953 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir type=AVC msg=audit(1251296580.263:1214): avc: denied { search } for pid=21841 comm="sqlplus" name="Satellite-5.3.0-RHEL5-re20090820.1-x86_64" dev=0:17 ino=3458192 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir which may be leaked screen file descriptors. but the message in #0 is definitely not there. verified in stage on xen15 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1235.html |
Created attachment 339658 [details] part of audit.log (selinux permissive) Description of problem: Running spacewalk-schema-upgrade script with SELinux enabled gives a denial. Version-Release number of selected component (if applicable): oracle-instantclient-selinux-10.2-8 oracle-nofcontext-selinux-0.1-23.6 oracle-rhnsat-selinux-10.2-10 spacewalk-selinux-0.5.3-1 How reproducible: Always Steps to Reproduce: 1. Install Satelite 5.2.0 on RHEL-5, selinux enabled (permissive at least) 2. Install rhn-upgrade, run upgrade to 5.3.0 3. One of the upgrade steps involves running spacewalk-schema-upgrade script Actual results: See attachment. Expected results: No denial. Additional info: N/A