Bug 580401

+++ This bug was initially created as a clone of Bug #580047 +++

Description of problem:
there is selinux denial on satellite using external db

Version-Release number of selected component (if applicable):
sat530 updated from webqa

.qa.[root@rhndev2 ~]# rpm -qa|egrep 'selinux|osa'
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
oracle-instantclient-sqlplus-selinux-10.2-9.6.el5sat
selinux-policy-2.4.6-255.el5_4.4
oracle-nofcontext-selinux-0.1-23.8.5.el5sat
oracle-rhnsat-selinux-10.2-11.4.el5sat
spacewalk-selinux-0.5.4-10.el5sat
selinux-policy-targeted-2.4.6-255.el5_4.4
libselinux-1.33.4-5.5.el5
oracle-instantclient-selinux-10.2-9.6.el5sat
osa-dispatcher-5.9.10-5.el5sat
jabberd-selinux-1.4.2-6.el5sat
spacewalk-monitoring-selinux-0.5.7-10.el5sat
libselinux-python-1.33.4-5.5.el5
osa-dispatcher-selinux-5.9.10-5.el5sat

How reproducible:


Steps to Reproduce:
1. have a satellite running with external db (maybe more warnings to /sqlnet.log ? )

  
Actual results:

type=AVC msg=audit(1270409217.473:2163): avc:  denied  { append } for  pid=1902 comm="osa-dispatcher" path="/sqlnet.log" dev=dm-0 ino=97442 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file

.qa.[root@rhndev2 ~]# ls -Z /sqlnet.log
-rw-rw-rw-  root root system_u:object_r:root_t         /sqlnet.log
.qa.[root@rhndev2 ~]# restorecon /sqlnet.log
.qa.[root@rhndev2 ~]# ls -Z /sqlnet.log
-rw-rw-rw-  root root system_u:object_r:default_t      /sqlnet.log


Expected results:
no denial

Additional info:
Satellite
s390x,1.5Gb mem, external db

database:
DB User= psklenar1
DB Password=XXXX
DB SID= rhnsat10
DB hostname= test-db-3.rhndev.redhat.com
DB port= [1521] 
DB protocol= [TCP]

--- Additional comment from jpazdziora on 2010-04-07 09:49:48 EDT ---

Can you confirm that the AVC denial only appears if the database is down / unreachable / the connect information is wrong?

In general, sqlnet.log is only written if there is a problem during connect.

That's why we did not really bother to address this AVC denial in the past.

--- Additional comment from psklenar on 2010-04-07 11:01:28 EDT ---

(In reply to comment #1)
> Can you confirm that the AVC denial only appears if the database is down /
> unreachable / the connect information is wrong?

Right , it was in time of db issue, so there are only few denials on /sqlnet.log for last month or so.

> 
> In general, sqlnet.log is only written if there is a problem during connect.
> 
> That's why we did not really bother to address this AVC denial in the past.

--- Additional comment from jpazdziora on 2010-04-07 13:50:11 EDT ---

(In reply to comment #2)
> 
> Right , it was in time of db issue, so there are only few denials on
> /sqlnet.log for last month or so.

Thanks. In that case, let me move it from the 5.3.1 triage to later queue.

--- Additional comment from jpazdziora on 2010-04-08 03:57:15 EDT ---

We should use something like /usr/lib64/oracle/10.2.0.4/client/lib/network/admin/sqlnet.ora to set log_directory_client = /var/log/something and SELinux-label that /var/log/something (or sqlnet.log in it) in such a way that all client programs can append to it.

--- Additional comment from jpazdziora on 2010-04-08 03:58:02 EDT ---

Adding Michael to Cc.