Bug 723439

Summary:	Please revert the oracledb_port_t type to oracle_port_t
Product:	[Fedora] Fedora	Reporter:	Jan Pazdziora <jpazdziora>
Component:	selinux-policy-targeted	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Ben Levenson <benl>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	15	CC:	dwalsh
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	selinux-policy-3.9.16-35.fc15	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-08-02 02:04:14 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Jan Pazdziora 2011-07-20 07:17:22 UTC

Description of problem:

There once was no port type defined for ports used by the Oracle database (1521). Then Spacewalk started to use oracle_port_t.

Then Fedora added that type. That lead to a bit of conflict because the type cannot be defined both in the base policy and in the module. The fix was in Fedora to start using oracledb_port_t. That however turned out to be bad as well because we couldn't have two types use the same value (1521). So the oracledb_port_t was reverted to oracle_port_t in Fedora and in Spacewalk we made the port definition optional, in separate SELinux module.

However, the revert did not make it to (then) rawhide, so now we have the oracledb_port_t in Fedora 15 (and I assume in rawhide as well).

Please revert the oracledb_port_t type to oracle_port_t both in Fedora 15 and in rawhide.

Version-Release number of selected component (if applicable):

# rpm -qa selinux-policy*
selinux-policy-3.9.16-34.fc15.noarch
selinux-policy-targeted-3.9.16-34.fc15.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. # semanage port -l | grep oracle
  
Actual results:

oracledb_port_t                tcp      9055, 1521, 2483, 2484
oracledb_port_t                udp      1521, 2483, 2484

Expected results:

oracle_port_t                tcp      9055, 1521, 2483, 2484
oracle_port_t                udp      1521, 2483, 2484

Additional info:

Comment 1 Miroslav Grepl 2011-07-20 11:31:18 UTC

Ok, the same issue which we had with Fedora14.

Comment 2 Miroslav Grepl 2011-07-20 11:36:27 UTC

We added this fix to spec file

%define loadpolicy() \
( cd /usr/share/selinux/%1; \
semodule -r oracle-port -b base.pp.bz2 -i %2 -s %1 2>&1 | grep -v "oracle-port"; \
); \

Comment 3 Jan Pazdziora 2011-07-20 12:00:45 UTC

(In reply to comment #2)
> We added this fix to spec file
> 
> %define loadpolicy() \
> ( cd /usr/share/selinux/%1; \
> semodule -r oracle-port -b base.pp.bz2 -i %2 -s %1 2>&1 | grep -v
> "oracle-port"; \
> ); \

Actually, this is probably not needed for Fedora 15 and rawhide at all -- there should be no oracle-port module loaded on those OSes. It was an upgrade thing on Fedora 14 and RHEL 6 (I believe). For Fedora 14 and higher, we now assume the base policy defines the type. We would just need the type to be oracle_port_t.

Comment 4 Miroslav Grepl 2011-07-20 12:05:35 UTC

Ok, then the fix is

-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)

Comment 5 Jan Pazdziora 2011-07-20 12:11:17 UTC

(In reply to comment #4)
> Ok, then the fix is
> 
> -network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0,
> tcp,2484,s0, udp,2484,s0)
> +network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0,
> tcp,2484,s0, udp,2484,s0)

Yes Sir. Thank you.

Comment 6 Miroslav Grepl 2011-07-20 13:52:59 UTC

Fixed in selinux-policy-3.9.16-35.fc15

Comment 7 Fedora Update System 2011-07-21 06:01:57 UTC

selinux-policy-3.9.16-35.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15

Comment 8 Jan Pazdziora 2011-07-22 08:23:37 UTC

(In reply to comment #7)
> selinux-policy-3.9.16-35.fc15 has been submitted as an update for Fedora 15.
> https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15

Works just fine, thank you.

Can you apply the same change to rawhide?

Comment 9 Miroslav Grepl 2011-07-22 10:39:01 UTC

Applied. Just building a new release.

Comment 10 Fedora Update System 2011-07-23 01:55:10 UTC

Package selinux-policy-3.9.16-35.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-35.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2011-08-02 02:03:38 UTC

selinux-policy-3.9.16-35.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.