Bug 1029894 - getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir' after upgrade to glibc-2.12-1.132.el6.x86_64
getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm=...
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
560
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Michael Mráka
Jiří Mikulka
:
Depends On: 1031387
Blocks: sat560-triage 1043410
  Show dependency treegraph
 
Reported: 2013-11-13 08:26 EST by Jan Hutař
Modified: 2014-10-06 09:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1031387 1043410 (view as bug list)
Environment:
Last Closed: 2013-12-04 10:42:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Hutař 2013-11-13 08:26:01 EST
Description of problem:
After upgrade of RHEL-6.4 with Satellite 5.5.0 installed to glibc-2.12-1.132.el6.x86_64, I started to getting one AVC each ~ 5 - 10 seconds. Also seen on 5.4.1, but not on 5.6.0.


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.18.noarch
glibc-2.12-1.132.el6.x86_64


How reproducible:
always


Steps to Reproduce:
1. Take RHEL 6.4, install Satellite 5.5.0 with embedded Oracle DB on it
2. Upgrade to glibc-2.12-1.132.el6.x86_64 and restart Satellite


Actual results:
Each ~ 5 - 10 seconds this SELinux AVC message is generated:

type=AVC msg=audit(1384348955.069:2073): avc:  denied  { search } for  pid=9003 comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

# ps 9003
  PID TTY      STAT   TIME COMMAND
 9003 ?        Ss     0:00 ora_mmnl_rhnsat


Expected results:
No AVCs should be generated
Comment 3 Jan Hutař 2013-11-15 02:31:13 EST
SYSCALL generated together with AVC:

type=SYSCALL msg=audit(1384353538.383:6728): arch=c000003e syscall=2 per=400000 success=no exit=-13 a0=7fa5c93d82b8 a1=80000 a2=1ffffd44d7d7 a3=4 items=0 ppid=1 pid=6995 auid=4294967295 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="oracle" exe="/opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle" subj=unconfined_u:system_r:oracl
Comment 5 Michael Mráka 2013-11-15 05:59:37 EST
Fixed in spacewalk master by
commit 6aa92f5df543de175fcd46a88f7e4b67d1988fa2
    1029894 - allow oracle read sysfs
Comment 6 Jan Hutař 2013-11-15 16:08:23 EST
Just noted this message as well on 5.6.0 with embedded PostgreSQL:

time->Thu Nov 14 21:55:27 2013
type=SYSCALL msg=audit(1384484127.268:573): arch=c000003e syscall=2 success=no exit=-13 a0=7f18c9ad52b8 a1=80000 a2=2803ff a3=7f1897fff9d0 items=0 ppid=1 pid=27689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384484127.268:573): avc:  denied  { search } for  pid=27689 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Comment 8 Jan Hutař 2013-11-18 02:20:44 EST
In some very rare cases I do see similar AVC generated by cobbler as well:

time->Sun Nov 17 17:04:05 2013
type=SYSCALL msg=audit(1384725845.423:561): arch=c000003e syscall=2 success=no exit=-13 a0=7faf000582b8 a1=80000 a2=2803ff a3=7faeeabfd9d0 items=0 ppid=1 pid=18537 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384725845.423:561): avc:  denied  { search } for  pid=18537 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Comment 10 Jan Hutař 2013-11-18 03:01:55 EST
When in Permissive, these AVCs got recorded:

type=AVC msg=audit(1384760968.366:1448): avc:  denied  { search } for  pid=19262 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1384760968.366:1448): avc:  denied  { read } for  pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1384760968.366:1448): avc:  denied  { open } for  pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

And inode 23 is:

/sys/devices/system/cpu/online

which contains:

# cat /sys/devices/system/cpu/online
0-31

and really, I'm on system with 32 processors:

# cat /proc/cpuinfo | grep ^processor | wc -l
32
Comment 16 errata-xmlrpc 2013-12-04 10:42:20 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1782.html

Note You need to log in before you can comment on or make changes to this bug.