Bug 514558

Summary: Fedora 11 Spacewalk 0.6 Selinux Denials
Product: [Community] Spacewalk Reporter: Devan Goodwin <dgoodwin>
Component: InstallationAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: low    
Version: 0.6   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 12:06:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 480189    
Bug Blocks: 456554    
Attachments:
Description Flags
audit.log from F11 Spacewalk 0.6 install none

Description Devan Goodwin 2009-07-29 16:28:03 UTC 
Description of problem:

A number of selinux denials trigger when installing and starting Spacewalk 0.6 on Fedora 11. (see attached audit.log)

Version-Release number of selected component (if applicable):

[root@sw1 ~]# rpm -qa | grep selinux
libselinux-2.0.80-1.fc11.i586
libselinux-python-2.0.80-1.fc11.i586
oracle-nofcontext-selinux-0.1-23.10.fc11.noarch
libselinux-utils-2.0.80-1.fc11.i586
spacewalk-monitoring-selinux-0.6.12-1.fc11.noarch
osa-dispatcher-selinux-5.9.20-1.fc11.noarch
oracle-instantclient-selinux-10.2-15.fc11.noarch
oracle-instantclient-sqlplus-selinux-10.2-15.fc11.noarch
selinux-policy-targeted-3.6.12-62.fc11.noarch
spacewalk-selinux-0.6.13-1.fc11.noarch
selinux-policy-3.6.12-62.fc11.noarch




Steps to Reproduce:
1. Install spacewalk 0.6 from devel repo on F11.
2. Run spacewalk-setup.
3. Create initial user, channel, and upload a couple packages to it.
  
Actual results:

See attached audit.log.


Additional info:

Contains some denials that aren't our problem, apologies for this just wanted to include everything to be thorough.
Comment 1 Devan Goodwin 2009-07-29 16:28:58 UTC 
Created attachment 355581 [details]
audit.log from F11 Spacewalk 0.6 install
Comment 2 Jan Pazdziora (Red Hat) 2009-07-31 14:17:19 UTC 
Here's the list with just AVC denials:

type=AVC msg=audit(1248797928.282:16527): avc:  denied  { read } for  pid=1421 comm="sshd" name="authorized_keys" dev=dm-1 ino=2465817 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1248797954.975:16540): avc:  denied  { read } for  pid=1457 comm="sshd" name="authorized_keys" dev=dm-1 ino=2465817 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1248788799.612:5): avc:  denied  { read } for  pid=1392 comm="sshd" name="authorized_keys" dev=dm-1 ino=2465817 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

type=AVC msg=audit(1248791346.653:60): avc:  denied  { execmod } for  pid=19981 comm="ld-linux.so.2" path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libclntsh.so.10.1" dev=dm-1 ino=770116 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1248791349.544:61): avc:  denied  { execmod } for  pid=20108 comm="ld-linux.so.2" path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libagtsh.so.1.0" dev=dm-1 ino=770114 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

type=AVC msg=audit(1248833474.212:22472): avc:  denied  { read } for  pid=1449 comm="sshd" name="authorized_keys" dev=dm-1 ino=2465817 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

type=AVC msg=audit(1248883240.845:17): avc:  denied  { read } for  pid=1304 comm="osa-dispatcher" name="osa-dispatcher.pid" dev=dm-1 ino=1548372 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:osa_dispatcher_var_run_t:s0 tclass=file

type=AVC msg=audit(1248884084.091:24): avc:  denied  { execmod } for  pid=19139 comm="ld-linux.so.2" path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libocrutl10.so" dev=dm-1 ino=770143 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1248884095.846:25): avc:  denied  { execmod } for  pid=19208 comm="ld-linux.so.2" path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libdbcfg10.so" dev=dm-1 ino=770123 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

type=AVC msg=audit(1248884155.128:30): avc:  denied  { read } for  pid=19354 comm="sshd" name="authorized_keys" dev=dm-1 ino=2465817 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

type=AVC msg=audit(1248880809.113:281): avc:  denied  { execstack } for  pid=21282 comm="osa-dispatcher" scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=unconfined_u:system_r:osa_dispatcher_t:s0 tclass=process
type=AVC msg=audit(1248880809.113:281): avc:  denied  { execmem } for  pid=21282 comm="osa-dispatcher" scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=unconfined_u:system_r:osa_dispatcher_t:s0 tclass=process

type=AVC msg=audit(1248880809.342:282): avc:  denied  { read } for  pid=21287 comm="osa-dispatcher" name="osa-dispatcher.pid" dev=dm-1 ino=1548417 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=unconfined_u:object_r:osa_dispatcher_var_run_t:s0 tclass=file

type=AVC msg=audit(1248880810.860:287): avc:  denied  { execstack } for  pid=21388 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1248880810.860:287): avc:  denied  { execmem } for  pid=21388 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process

type=AVC msg=audit(1248880813.416:288): avc:  denied  { execmod } for  pid=21445 comm="java" path="/usr/lib/libwrapper.so" dev=dm-1 ino=634570 scontext=unconfined_u:system_r:unconfined_java_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Comment 3 Jan Pazdziora (Red Hat) 2009-07-31 14:23:17 UTC 
(In reply to comment #2)
> Here's the list with just AVC denials:
> 
> type=AVC msg=audit(1248797928.282:16527): avc:  denied  { read } for  pid=1421
> comm="sshd" name="authorized_keys" dev=dm-1 ino=2465817
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:admin_home_t:s0 tclass=file

This is clearly not related to Spacewalk.

You should do restorecon -rvv ~/.ssh and fix the labels on authorized_keys to be home_ssh_t. This will have the added benefit that public key authentication will actually work.
Comment 4 Devan Goodwin 2009-07-31 14:24:43 UTC 
Thanks, this is just part of the scripts I use to kickstart and setup guests for testing, I was wondering why my keys weren't working on F11.
Comment 5 Jan Pazdziora (Red Hat) 2009-07-31 14:28:16 UTC 
(In reply to comment #2)

> type=AVC msg=audit(1248791346.653:60): avc:  denied  { execmod } for  pid=19981
> comm="ld-linux.so.2"
> path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libclntsh.so.10.1"
> dev=dm-1 ino=770116 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=AVC msg=audit(1248791349.544:61): avc:  denied  { execmod } for  pid=20108
> comm="ld-linux.so.2"
> path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libagtsh.so.1.0"
> dev=dm-1 ino=770114 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file

This is strange. On my Spacewalk 0.6 nightly installation on Fedora 11, I have

# ls -laZ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libclntsh.so.10.1
-r-xr-xr-x. oracle dba system_u:object_r:textrel_shlib_t:s0 /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libclntsh.so.10.1
# ls -laZ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libagtsh.so.1.0
-r-xr-xr-x. oracle dba system_u:object_r:textrel_shlib_t:s0 /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libagtsh.so.1.0

Hmmm.

The issue is that you do not have oracle-xe-selinux installed. Please, follow https://fedorahosted.org/spacewalk/wiki/OracleXeSetup when installing Oracle XE.
Comment 6 Jan Pazdziora (Red Hat) 2009-07-31 14:30:09 UTC 
(In reply to comment #2)
 
> type=AVC msg=audit(1248883240.845:17): avc:  denied  { read } for  pid=1304
> comm="osa-dispatcher" name="osa-dispatcher.pid" dev=dm-1 ino=1548372
> scontext=system_u:system_r:osa_dispatcher_t:s0
> tcontext=system_u:object_r:osa_dispatcher_var_run_t:s0 tclass=file

This one we seem to track in bug 514320 -- that one, while for Fedora 10, has the same AVC denial.
Comment 7 Jan Pazdziora (Red Hat) 2009-07-31 14:31:14 UTC 
(In reply to comment #2)

> type=AVC msg=audit(1248884084.091:24): avc:  denied  { execmod } for  pid=19139
> comm="ld-linux.so.2"
> path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libocrutl10.so"
> dev=dm-1 ino=770143 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=AVC msg=audit(1248884095.846:25): avc:  denied  { execmod } for  pid=19208
> comm="ld-linux.so.2"
> path="/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/lib/libdbcfg10.so"
> dev=dm-1 ino=770123 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file

Another symptom of missing oracle-xe-selinux.
Comment 8 Jan Pazdziora (Red Hat) 2009-07-31 14:34:24 UTC 
(In reply to comment #2)

So, the issues we have on Fedora 11, tracked here, are:

AVC denials execstack and execmem on osa-dispatcher:

> type=AVC msg=audit(1248880809.113:281): avc:  denied  { execstack } for 
> pid=21282 comm="osa-dispatcher"
> scontext=unconfined_u:system_r:osa_dispatcher_t:s0
> tcontext=unconfined_u:system_r:osa_dispatcher_t:s0 tclass=process
> type=AVC msg=audit(1248880809.113:281): avc:  denied  { execmem } for 
> pid=21282 comm="osa-dispatcher"
> scontext=unconfined_u:system_r:osa_dispatcher_t:s0
> tcontext=unconfined_u:system_r:osa_dispatcher_t:s0 tclass=process

The same on httpd:

> type=AVC msg=audit(1248880810.860:287): avc:  denied  { execstack } for 
> pid=21388 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
> type=AVC msg=audit(1248880810.860:287): avc:  denied  { execmem } for 
> pid=21388 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process

And execmod in / around the tanukiwrapper.

> type=AVC msg=audit(1248880813.416:288): avc:  denied  { execmod } for 
> pid=21445 comm="java" path="/usr/lib/libwrapper.so" dev=dm-1 ino=634570
> scontext=unconfined_u:system_r:unconfined_java_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
Comment 9 Jan Pazdziora (Red Hat) 2009-07-31 15:18:53 UTC 
(In reply to comment #8)

> And execmod in / around the tanukiwrapper.
> 
> > type=AVC msg=audit(1248880813.416:288): avc:  denied  { execmod } for 
> > pid=21445 comm="java" path="/usr/lib/libwrapper.so" dev=dm-1 ino=634570
> > scontext=unconfined_u:system_r:unconfined_java_t:s0
> > tcontext=system_u:object_r:lib_t:s0 tclass=file  

We track the issue with Fedora tanukiwrapper package in bugzilla 480189.
Comment 10 Jan Pazdziora (Red Hat) 2009-08-03 09:43:58 UTC 
(In reply to comment #9)
> 
> We track the issue with Fedora tanukiwrapper package in bugzilla 480189.  

For Fedora 10, the new package tanukiwrapper-3.2.3-2.4.fc10.i386.rpm is in the testing repo. I've asked Deepak to build new tanukiwrapper for Fedora 11 as well.
Comment 11 Jan Pazdziora (Red Hat) 2009-08-04 06:23:07 UTC 
New tanukiwrappers for both F10 and F11 are in updates-testing now.
Comment 12 Jan Pazdziora (Red Hat) 2009-08-04 07:36:38 UTC 
(In reply to comment #8)
> (In reply to comment #2)
> 
> So, the issues we have on Fedora 11, tracked here, are:
> 
> AVC denials execstack and execmem on osa-dispatcher:
> 
> > type=AVC msg=audit(1248880809.113:281): avc:  denied  { execstack } for 
> > pid=21282 comm="osa-dispatcher"
> > scontext=unconfined_u:system_r:osa_dispatcher_t:s0
> > tcontext=unconfined_u:system_r:osa_dispatcher_t:s0 tclass=process
> > type=AVC msg=audit(1248880809.113:281): avc:  denied  { execmem } for 
> > pid=21282 comm="osa-dispatcher"
> > scontext=unconfined_u:system_r:osa_dispatcher_t:s0
> > tcontext=unconfined_u:system_r:osa_dispatcher_t:s0 tclass=process
> 
> The same on httpd:
> 
> > type=AVC msg=audit(1248880810.860:287): avc:  denied  { execstack } for 
> > pid=21388 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
> > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
> > type=AVC msg=audit(1248880810.860:287): avc:  denied  { execmem } for 
> > pid=21388 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
> > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process

I was not able to reproduce these. My guess is that oracle-instantclient-selinux was not installed / was not installed correctly, leading to wrong contexts on libraries that are used by osa-dispatcher and Apache's mod_perl / mod_python to connect to the Oracle database.

If you still have the machine around, can you post the output of

# rpm -ql oracle-instantclient-basic | xargs ls -Z

and

# rpm -ql oracle-instantclient-basic | xargs execstack -q

?
Comment 13 Devan Goodwin 2009-08-05 13:22:09 UTC 
You're right, my install scripts did not install oracle-xe-selinux. Just in case this is still useful:


[root@sw1 ~]# rpm -ql oracle-instantclient-basic | xargs ls -Z
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/lib/oracle/10.2.0.4/client/bin/genezi
-rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/oracle/10.2.0.4/client/lib/libclntsh.so.10.1
-rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so
-rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/oracle/10.2.0.4/client/lib/libocci.so.10.1
-rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/oracle/10.2.0.4/client/lib/libociei.so
-rw-r--r--. root root system_u:object_r:lib_t:s0       /usr/lib/oracle/10.2.0.4/client/lib/libocijdbc10.so
-rw-r--r--. root root system_u:object_r:lib_t:s0       /usr/lib/oracle/10.2.0.4/client/lib/ojdbc14.jar


[root@sw1 ~]# rpm -ql oracle-instantclient-basic | xargs execstack -q
X /usr/lib/oracle/10.2.0.4/client/bin/genezi
X /usr/lib/oracle/10.2.0.4/client/lib/libclntsh.so.10.1
X /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so
X /usr/lib/oracle/10.2.0.4/client/lib/libocci.so.10.1
X /usr/lib/oracle/10.2.0.4/client/lib/libociei.so
X /usr/lib/oracle/10.2.0.4/client/lib/libocijdbc10.so
execstack: "/usr/lib/oracle/10.2.0.4/client/lib/ojdbc14.jar" is not an ELF file



Will be re-doing an install in the coming days and see how it goes.
Comment 14 Jan Pazdziora (Red Hat) 2009-08-05 13:32:26 UTC 
(In reply to comment #13)
> You're right, my install scripts did not install oracle-xe-selinux. Just in

Well, oracle-xe-selinux are for the server (Oracle XE). It's oracle-instantclient-selinux which matters here.

> [root@sw1 ~]# rpm -ql oracle-instantclient-basic | xargs ls -Z
> -rwxr-xr-x. root root system_u:object_r:bin_t:s0      
> /usr/lib/oracle/10.2.0.4/client/bin/genezi
> -rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0
> /usr/lib/oracle/10.2.0.4/client/lib/libclntsh.so.10.1
> -rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0
> /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so
> -rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0
> /usr/lib/oracle/10.2.0.4/client/lib/libocci.so.10.1
> -rw-r--r--. root root system_u:object_r:textrel_shlib_t:s0
> /usr/lib/oracle/10.2.0.4/client/lib/libociei.so

The textrel_shlib_t is good here. I'm however confused about the output
of the execstack:

> [root@sw1 ~]# rpm -ql oracle-instantclient-basic | xargs execstack -q
> X /usr/lib/oracle/10.2.0.4/client/bin/genezi
> X /usr/lib/oracle/10.2.0.4/client/lib/libclntsh.so.10.1
> X /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so
> X /usr/lib/oracle/10.2.0.4/client/lib/libocci.so.10.1
> X /usr/lib/oracle/10.2.0.4/client/lib/libociei.so

-- the flags should have been cleared (no X) on the .so's. Did you do something special when installing, like upgrading, or installing the same package twice?

In any case, running

# /usr/sbin/oracle-instantclient-selinux-enable

should fix this problem on your installation.
Comment 15 Jan Pazdziora (Red Hat) 2009-08-18 06:58:40 UTC 
Errata https://admin.fedoraproject.org/updates/F11/FEDORA-2009-8271 was released for Fedora 11, and http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8193  was released for Fedora 10 and bug 480189.

Moving to MODIFIED.
Comment 16 Miroslav Suchý 2009-09-10 12:06:47 UTC 
Spacewalk 0.6 released