Bug 626420
| Summary: | sqlplus produces lot of avc denials during ./install.pl | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Milan Zázrivec <mzazrivec> |
| Component: | Server | Assignee: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Šimon Lukašík <slukasik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 540 | CC: | cperry, msuchy, slukasik |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | spacewalk-admin-1.2.2-1 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 624738 | Environment: | |
| Last Closed: | 2010-10-28 14:53:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 624738 | ||
| Bug Blocks: | 487678 | ||
The AVC denials that we talk about in this bugzilla are
type=AVC msg=audit(1282053398.114:100): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.114:101): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:102): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:103): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:104): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:105): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:106): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:107): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
Addressed in Spacewalk master, ec440206d21021c2ba8fdedf3dc9e2b6f1f31386. We just chdir to / now. Changing to VERIFIED: Testing procedure: Automated Galatica installations. (For ex. j:17115). Verified against: Satellite-5.4.0-RHEL5-re20100903.1 (embedded) pass beaker test (j:25547) The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332 RHEA-2010:0803 - RHN Tools enhancement update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333 RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334 RHEA-2010:0800 - RHN Satellite Server 5.4.0 https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335 Docs are available: http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html Regards, Clifford |
Purpose of this clone is to address the 'avc: denied { search } ... ' denials described in bug #624738. The problem is easily reproducible: 1. mount a satellite iso under /mnt/whatever 2. cd /mnt/whatever 3. sqlplus rhnsat/rhnsat@rhnsat 4. SQL> quit 5. grep denied /var/log/audit/audit.log +++ This bug was initially created as a clone of Bug #624738 +++ Description of problem: During installation of Satellite-5.4.0-RHEL5-re20100817.0 a lot of selinux avc denials occurs. There is also failed attempt to restart Oracle DB. + service oracle restart Shutting down Oracle Net Listener ...[ OK ] Shutting down Oracle DB instance "rhnsat" ...[FAILED] sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied /etc/init.d/oracle: line 42: [: 10: unary operator expected Starting Oracle Net Listener ... [ OK ] Starting Oracle DB instance "rhnsat" ... [ OK ] Version-Release number of selected component (if applicable): Satellite-5.4.0-RHEL5-re20100817.0 How reproducible: always Steps to Reproduce: 1. ./install.pl 2. 3. Actual results: avc denials Expected results: none (avc denial) Additional info: --- Additional comment from slukasik on 2010-08-17 12:00:21 EDT --- --- Additional comment from slukasik on 2010-08-17 12:02:22 EDT --- --- Additional comment from slukasik on 2010-08-17 12:03:38 EDT --- Logs come from beaker job: https://beaker.engineering.redhat.com/jobs/12628 --- Additional comment from slukasik on 2010-08-17 16:16:01 EDT --- This is what I see in /var/log/messages during rhn-satellite restart: Aug 17 16:11:52 hp-ml370g5-01 setroubleshoot: SELinux is preventing sqlplus (oracle_sqlplus_t) "execstack" to <Unknown> (oracle_sqlplus_t). For complete SELinux messages. run sealert -l c96aedbb-0d10-4631-bdae-0b2288d635d5 --- Additional comment from mzazrivec on 2010-08-20 09:14:52 EDT --- thirdparty.git master: 842e58d9de8f7d9994507248061395ed40494e1d