1029894 – getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir' after upgrade to glibc-2.12-1.132.el6.x86_64

Bug 1029894 - getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir' after upgrade to glibc-2.12-1.132.el6.x86_64

Summary: getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm=...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	560
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michael Mráka
QA Contact:	Jiří Mikulka
Docs Contact:
URL:
Whiteboard:
Depends On:	1031387
Blocks:	sat560-triage 1043410
TreeView+	depends on / blocked

Reported:	2013-11-13 13:26 UTC by Jan Hutař
Modified:	2014-10-06 13:47 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1031387 1043410 (view as bug list)
Environment:
Last Closed:	2013-12-04 15:42:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1782	0	normal	SHIPPED_LIVE	Red Hat Network Satellite server oracle-selinux bug fix update	2013-12-04 20:41:55 UTC

Description Jan Hutař 2013-11-13 13:26:01 UTC

Description of problem:
After upgrade of RHEL-6.4 with Satellite 5.5.0 installed to glibc-2.12-1.132.el6.x86_64, I started to getting one AVC each ~ 5 - 10 seconds. Also seen on 5.4.1, but not on 5.6.0.


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.18.noarch
glibc-2.12-1.132.el6.x86_64


How reproducible:
always


Steps to Reproduce:
1. Take RHEL 6.4, install Satellite 5.5.0 with embedded Oracle DB on it
2. Upgrade to glibc-2.12-1.132.el6.x86_64 and restart Satellite


Actual results:
Each ~ 5 - 10 seconds this SELinux AVC message is generated:

type=AVC msg=audit(1384348955.069:2073): avc:  denied  { search } for  pid=9003 comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

# ps 9003
  PID TTY      STAT   TIME COMMAND
 9003 ?        Ss     0:00 ora_mmnl_rhnsat


Expected results:
No AVCs should be generated

Comment 3 Jan Hutař 2013-11-15 07:31:13 UTC

SYSCALL generated together with AVC:

type=SYSCALL msg=audit(1384353538.383:6728): arch=c000003e syscall=2 per=400000 success=no exit=-13 a0=7fa5c93d82b8 a1=80000 a2=1ffffd44d7d7 a3=4 items=0 ppid=1 pid=6995 auid=4294967295 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="oracle" exe="/opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle" subj=unconfined_u:system_r:oracl

Comment 5 Michael Mráka 2013-11-15 10:59:37 UTC

Fixed in spacewalk master by
commit 6aa92f5df543de175fcd46a88f7e4b67d1988fa2
    1029894 - allow oracle read sysfs

Comment 6 Jan Hutař 2013-11-15 21:08:23 UTC

Just noted this message as well on 5.6.0 with embedded PostgreSQL:

time->Thu Nov 14 21:55:27 2013
type=SYSCALL msg=audit(1384484127.268:573): arch=c000003e syscall=2 success=no exit=-13 a0=7f18c9ad52b8 a1=80000 a2=2803ff a3=7f1897fff9d0 items=0 ppid=1 pid=27689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384484127.268:573): avc:  denied  { search } for  pid=27689 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Comment 8 Jan Hutař 2013-11-18 07:20:44 UTC

In some very rare cases I do see similar AVC generated by cobbler as well:

time->Sun Nov 17 17:04:05 2013
type=SYSCALL msg=audit(1384725845.423:561): arch=c000003e syscall=2 success=no exit=-13 a0=7faf000582b8 a1=80000 a2=2803ff a3=7faeeabfd9d0 items=0 ppid=1 pid=18537 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384725845.423:561): avc:  denied  { search } for  pid=18537 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Comment 10 Jan Hutař 2013-11-18 08:01:55 UTC

When in Permissive, these AVCs got recorded:

type=AVC msg=audit(1384760968.366:1448): avc:  denied  { search } for  pid=19262 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1384760968.366:1448): avc:  denied  { read } for  pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1384760968.366:1448): avc:  denied  { open } for  pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

And inode 23 is:

/sys/devices/system/cpu/online

which contains:

# cat /sys/devices/system/cpu/online
0-31

and really, I'm on system with 32 processors:

# cat /proc/cpuinfo | grep ^processor | wc -l
32

Comment 16 errata-xmlrpc 2013-12-04 15:42:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1782.html

Note You need to log in before you can comment on or make changes to this bug.