Bug 578655

Summary: SELinux is preventing oracle (oracle_db_t) "read" to ./passwd (etc_runtime_t).
Product: Red Hat Enterprise Linux 5 Reporter: macheater
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 5.3   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-19 11:12:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description macheater 2010-03-31 23:23:27 UTC
Description of problem:
SELinux is preventing oracle (oracle_db_t) "read" to ./passwd (etc_runtime_t).

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-255.el5_4.4

How reproducible:
Running the Redhat Satellite server's oracle database produces errors

Steps to Reproduce:
1. Try to kickstart a server
2.
3.
  
Actual results:


Expected results:


Additional info:
Ran: sealert -l ca829f24-e464-4692-bdf3-f55567685542 followed by recommendation:
restorecon -v './passwd'
Did not produce any changes.
Therefore: 
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Comment 1 Daniel Walsh 2010-04-01 12:34:50 UTC
Sadly the tool/kernel could not figure out that the avc referred to /etc/passwd

restorecon -v /etc/passwd 

Should probably fix the problem.

We have a better solution for the troubleshooter in RHEL6 or you could turn on full auditing, and the AVC would have contained the full path, but there is performance overhead for this.

My guess is that some init script edited the /etc/passwd file and left it with a bad label.