Bug 580047
| Summary: | selinux denial: comm="osa-dispatcher" cannot write to path="/sqlnet.log" | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Petr Sklenar <psklenar> | |
| Component: | Server | Assignee: | Jan Pazdziora (Red Hat) <jpazdziora> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Petr Sklenar <psklenar> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | unspecified | CC: | cperry, jpazdziora, mmraka, msuchy | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | Fixed in the 5.4.0 Release - GA'd 2010-10-27 | |||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 580401 (view as bug list) | Environment: | ||
| Last Closed: | 2010-10-28 15:02:02 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 580401 | |||
| Bug Blocks: | 462714, 487678 | |||
Can you confirm that the AVC denial only appears if the database is down / unreachable / the connect information is wrong? In general, sqlnet.log is only written if there is a problem during connect. That's why we did not really bother to address this AVC denial in the past. (In reply to comment #1) > Can you confirm that the AVC denial only appears if the database is down / > unreachable / the connect information is wrong? Right , it was in time of db issue, so there are only few denials on /sqlnet.log for last month or so. > > In general, sqlnet.log is only written if there is a problem during connect. > > That's why we did not really bother to address this AVC denial in the past. (In reply to comment #2) > > Right , it was in time of db issue, so there are only few denials on > /sqlnet.log for last month or so. Thanks. In that case, let me move it from the 5.3.1 triage to later queue. We should use something like /usr/lib64/oracle/10.2.0.4/client/lib/network/admin/sqlnet.ora to set log_directory_client = /var/log/something and SELinux-label that /var/log/something (or sqlnet.log in it) in such a way that all client programs can append to it. Adding Michael to Cc. Addressed in Spacewalk master 72755b7518ecde99364eb8726fca0d39f6b1fbb2 and d9c9529015b0ae3705046cc318e238fd415484d6. *** Bug 580401 has been marked as a duplicate of this bug. *** I didnt see a denial on /sqlnet.log Verified with Satellite-5.4.0-RHEL5-re20100827.0 on x86646 rhel55 The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332 RHEA-2010:0803 - RHN Tools enhancement update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333 RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334 RHEA-2010:0800 - RHN Satellite Server 5.4.0 https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335 Docs are available: http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html Regards, Clifford *** Bug 519174 has been marked as a duplicate of this bug. *** |
Description of problem: there is selinux denial on satellite using external db Version-Release number of selected component (if applicable): sat530 updated from webqa .qa.[root@rhndev2 ~]# rpm -qa|egrep 'selinux|osa' libselinux-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 oracle-instantclient-sqlplus-selinux-10.2-9.6.el5sat selinux-policy-2.4.6-255.el5_4.4 oracle-nofcontext-selinux-0.1-23.8.5.el5sat oracle-rhnsat-selinux-10.2-11.4.el5sat spacewalk-selinux-0.5.4-10.el5sat selinux-policy-targeted-2.4.6-255.el5_4.4 libselinux-1.33.4-5.5.el5 oracle-instantclient-selinux-10.2-9.6.el5sat osa-dispatcher-5.9.10-5.el5sat jabberd-selinux-1.4.2-6.el5sat spacewalk-monitoring-selinux-0.5.7-10.el5sat libselinux-python-1.33.4-5.5.el5 osa-dispatcher-selinux-5.9.10-5.el5sat How reproducible: Steps to Reproduce: 1. have a satellite running with external db (maybe more warnings to /sqlnet.log ? ) Actual results: type=AVC msg=audit(1270409217.473:2163): avc: denied { append } for pid=1902 comm="osa-dispatcher" path="/sqlnet.log" dev=dm-0 ino=97442 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file .qa.[root@rhndev2 ~]# ls -Z /sqlnet.log -rw-rw-rw- root root system_u:object_r:root_t /sqlnet.log .qa.[root@rhndev2 ~]# restorecon /sqlnet.log .qa.[root@rhndev2 ~]# ls -Z /sqlnet.log -rw-rw-rw- root root system_u:object_r:default_t /sqlnet.log Expected results: no denial Additional info: Satellite s390x,1.5Gb mem, external db database: DB User= psklenar1 DB Password=XXXX DB SID= rhnsat10 DB hostname= test-db-3.rhndev.redhat.com DB port= [1521] DB protocol= [TCP]