Bug 508368
| Summary: | SELinux issue on s390x install | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | John Matthews <jmatthew> | ||||
| Component: | Other | Assignee: | Jan Pazdziora <jpazdziora> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | John Matthews <jmatthew> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 530 | CC: | cperry, whayutin | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-06-30 17:32:58 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 457079 | ||||||
| Attachments: |
|
||||||
|
Description
John Matthews
2009-06-26 18:46:46 UTC
John, can you please paste output of: rpm -q redhat-release (that's because generally s390x installs on *.z900.redhat.com were RHEL 5.0, not good) semodule -l (to see if the SELinux policy modules are loaded at all) grep AVC /var/log/audit/audit.log (to see what AVC denials you got) ls -Z /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 (to see the type of these two) execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 (to see the execstack of these two) Thank you. In general, I consider this a dupe of 505606 but I'd like to have it confirmed. Hi Jan, This is the default RHEL 5.0 provisioning setup from the z900 setup. rpm -q redhat-release redhat-release-5Server-5.0.0.9 # semodule -l amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0 dnsmasq 1.1.1 evolution 1.1.0 ipsec 1.4.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 pki 1.0.0 prelude 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smartmon 1.1.0 virt 1.0.0 zosremote 1.0.0 # ls -Z /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl -rwxr-x--x oracle dba system_u:object_r:textrel_shlib_t /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl rwxr-xr-x oracle dba system_u:object_r:textrel_shlib_t /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl - /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 - /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 Created attachment 349972 [details]
grep AVC /var/log/audit/audit.log
John, installation of plain RHEL 5.0 will not work unless you relabel the filesystem. None of the Spacewalk/Oracle SELinux modules are loaded here. Please see bug 505606 for more info. I'm closing this bugzilla as dupe of 505606. Feel free to reopen if you think otherwise. *** This bug has been marked as a duplicate of bug 505606 *** Hi Jan, I followed your advice and upgraded the s390x machine to 5.3, did the upgrade from 5.0 to 5.3 through "yum update -y" followed be a reboot. # rpm -q redhat-release redhat-release-5Server-5.3.0.3 I attempted an install, it failed with this message: oracle-rhnsat 10.2.11.4 + restorecon -rv /rhnsat restorecon set context /rhnsat->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported' restorecon set context /rhnsat/admin->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported' restorecon set context /rhnsat/data->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported' I then realized I didn't relabel the FS as you said, so I executed: # touch /.autorelabel # reboot I watched through the x3270 console and saw that the files were relabeled during bootup. I re-ran the install.pl and saw the same Oracle errors: # tail /var/log/rhn/install_db.log + mkdir -p /rhnsat/data /rhnsat/admin + chown -R oracle:dba /rhnsat + selinuxenabled + semodule -l + grep '^oracle-rhnsat\b' oracle-rhnsat 10.2.11.4 + restorecon -rv /rhnsat restorecon set context /rhnsat->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported' restorecon set context /rhnsat/admin->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported' restorecon set context /rhnsat/data->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported' /rhnsat is a NFS mount /var/satellite is a NFS mount # grep AVC /var/log/audit/audit.log type=USER_AVC msg=audit(1246479370.866:27): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479393.706:30): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=3) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479420.986:31): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=4) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479440.806:33): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=5) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479451.436:35): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=6) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479460.406:37): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=7) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479580.806:39): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=8) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479588.956:42): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=9) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479748.756:57): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=10) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479789.926:59): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=11) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479824.936:61): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=12) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479833.796:62): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=13) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479943.236:66): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479955.166:68): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=15) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479962.096:70): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=16) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479979.206:72): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=17) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246479989.316:74): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=18) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1246482578.398:49): user pid=1393 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' # semodule -l amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0 dnsmasq 1.1.1 evolution 1.1.0 ipsec 1.4.0 iscsid 1.0.0 jabber 1.4.2.6 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 oracle-nofcontext 1.1.1 oracle-rhnsat 10.2.11.4 osa-dispatcher 5.9.10.5 pcscd 1.0.0 pki 1.0.0 prelude 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smartmon 1.1.0 spacewalk-monitoring 0.5.7.9 spacewalk 0.5.4.9 virt 1.0.0 zosremote 1.0.0 # ls -Z /rhnsat/ drwxr-xr-x oracle dba system_u:object_r:nfs_t admin drwxr-xr-x oracle dba system_u:object_r:nfs_t data Do you have any tips for getting past these errors? Thanks, John Setting NEED_INFO for comment #6, as I removed it by accident. /rhnsat on NFS is not supported. If you want to test embedded on s390x, you'll need to find machine with large enough disk to put the embedded data in /rhnsat on the local disk. Marking CloseValid |