Bug 1258563 - AVC denied with package oracle-xe-selinux
AVC denied with package oracle-xe-selinux
Status: CLOSED CURRENTRELEASE
Product: Spacewalk
Classification: Community
Component: Installation (Show other bugs)
2.3
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomáš Kašpárek
Red Hat Satellite QA List
:
: 1257574 (view as bug list)
Depends On:
Blocks: space27
  Show dependency treegraph
 
Reported: 2015-08-31 12:08 EDT by Pavel Studeník
Modified: 2017-09-28 14:11 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-16 09:09:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pavel Studeník 2015-08-31 12:08:23 EDT
Description of problem:
I tried to install spacewalk with oracle, but I can't. I got avc messages in audit.log during configuration of oracle database.

Version-Release number of selected component (if applicable):
oracle-xe-11.2.0-1.0.x86_64


How reproducible:
always on Fedora 21/22

Steps to Reproduce:
1. try to install oracle-xe 

Actual results:
>> /etc/init.d/oracle-xe configure


Oracle Database 11g Express Edition Configuration
-------------------------------------------------
This will configure on-boot properties of Oracle Database 11g Express 
Edition.  The following questions will determine whether the database should 
be starting upon system boot, the ports it will use, and the passwords that 
will be used for database accounts.  Press <Enter> to accept the defaults. 
Ctrl-C will abort.

Specify the HTTP port that will be used for Oracle Application Express [8080]:
Specify a port that will be used for the database listener [1521]:
Specify a password to be used for database accounts.  Note that the same
password will be used for SYS and SYSTEM.  Oracle recommends the use of 
different passwords for each database account.  This can be done after 
initial configuration:
Confirm the password:

Do you want Oracle Database 11g Express Edition to be started on boot (y/n) [y]:
Starting Oracle Net Listener...Done
Configuring database...
Database Configuration failed.  Look into /u01/app/oracle/product/11.2.0/xe/config/log for details


Additional info:
type=AVC msg=audit(1441034977.975:938): avc:  denied  { rlimitinh } for  pid=14635 comm="tnslsnr" scontext=unconfined_u:system_r:oracle_lsnrctl_t:s0 tcontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tclass=process permissive=1
type=AVC msg=audit(1441034977.975:939): avc:  denied  { siginh } for  pid=14635 comm="tnslsnr" scontext=unconfined_u:system_r:oracle_lsnrctl_t:s0 tcontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tclass=process permissive=1
type=AVC msg=audit(1441034977.975:940): avc:  denied  { noatsecure } for  pid=14635 comm="tnslsnr" scontext=unconfined_u:system_r:oracle_lsnrctl_t:s0 tcontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tclass=process permissive=1
type=AVC msg=audit(1441034978.471:941): avc:  denied  { name_connect } for  pid=14635 comm="tnslsnr" dest=199 scontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tcontext=system_u:object_r:snmp_port_t:s0 tclass=tcp_socket permissive=1

type=USER_START msg=audit(1441034978.491:947): pid=14639 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="oracle" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1441034978.767:948): avc:  denied  { rlimitinh } for  pid=14651 comm="orapwd" scontext=unconfined_u:system_r:oracle_sqlplus_t:s0 tcontext=unconfined_u:system_r:oracle_db_t:s0 tclass=process permissive=1
type=AVC msg=audit(1441034978.767:949): avc:  denied  { siginh } for  pid=14651 comm="orapwd" scontext=unconfined_u:system_r:oracle_sqlplus_t:s0 tcontext=unconfined_u:system_r:oracle_db_t:s0 tclass=process permissive=1
type=AVC msg=audit(1441034978.767:950): avc:  denied  { noatsecure } for  pid=14651 comm="orapwd" scontext=unconfined_u:system_r:oracle_sqlplus_t:s0 tcontext=unconfined_u:system_r:oracle_db_t:s0 tclass=process permissive=1
type=AVC msg=audit(1441034978.777:951): avc:  denied  { execute } for  pid=14652 comm="oracle" path="/etc/ld.so.cache" dev="dm-0" ino=131880 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1
type=AVC msg=audit(1441034981.326:952): avc:  denied  { execute } for  pid=14652 comm="oracle" path=2F535953566330613539343434202864656C6574656429 dev="tmpfs" ino=32768 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1441034981.604:953): avc:  denied  { execute } for  pid=14652 comm="oracle" path="/u01/app/oracle/product/11.2.0/xe/dbs/hc_XE.dat" dev="dm-0" ino=265366 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:oracle_db_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1441034981.671:954): avc:  denied  { execute } for  pid=14652 comm="oracle" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1441034982.305:955): avc:  denied  { execute } for  pid=14705 comm="oracle" path="/u01/app/oracle/product/11.2.0/xe/dbs/hc_XE.dat" dev="dm-0" ino=265366 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:oracle_db_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1441034983.331:956): avc:  denied  { execute } for  pid=14711 comm="oracle" path=2F535953566330613539343434202864656C6574656429 dev="tmpfs" ino=32768 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1441034983.337:957): avc:  denied  { execute } for  pid=14711 comm="oracle" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1441035047.068:958): avc:  denied  { name_bind } for  pid=14635 comm="tnslsnr" src=8080 scontext=unconfined_u:system_r:oracle_tnslsnr_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
Comment 1 Pavel Studeník 2015-08-31 12:14:16 EDT
>> audit2allow < oracle.audit.log

#============= oracle_db_t ==============
allow oracle_db_t ld_so_cache_t:file execute;
allow oracle_db_t oracle_db_log_t:file execute;
allow oracle_db_t tmpfs_t:file execute;
allow oracle_db_t zero_device_t:chr_file execute;

#============= oracle_lsnrctl_t ==============
allow oracle_lsnrctl_t oracle_tnslsnr_t:process { siginh rlimitinh noatsecure };

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t oracle_db_t:process { siginh rlimitinh noatsecure };

#============= oracle_tnslsnr_t ==============
allow oracle_tnslsnr_t http_cache_port_t:tcp_socket name_bind;

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, oracle_snmp_support
allow oracle_tnslsnr_t snmp_port_t:tcp_socket name_connect;



>> make -f /usr/share/selinux/devel/Makefile
Compiling targeted oracle-xe module
oracle-xe.te:66: Warning: mcs_ptrace_all() has been deprecated, please remove mcs_constrained() instead.
oracle-xe.te:78: Warning: corecmd_exec_ls() has been deprecated, please use corecmd_exec_bin() instead.
/usr/bin/checkmodule:  loading policy configuration from tmp/oracle-xe.tmp
oracle-xe.te:42:ERROR 'unknown type ld_so_cache_t' at token ';' on line 3305:
allow oracle_db_t ld_so_cache_t:file execute;
#============= oracle_db_t ==============
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:154: recipe for target 'tmp/oracle-xe.mod' failed
make: *** [tmp/oracle-xe.mod] Error 1
Comment 2 Pavel Studeník 2015-08-31 12:42:50 EDT
fix https://github.com/Pajinek/spacewalk/commit/18f9d294799e35f37d3603f5a2b312651a79ded7

# diff oracle-xe.te oracle-xe.te.new -u
--- oracle-xe.te        2015-06-16 21:20:38.000000000 +0200
+++ oracle-xe.te.new    2015-08-31 18:19:14.441896530 +0200
@@ -15,6 +15,9 @@
        type lib_t;
        type bin_t;
        type rhnsd_conf_t;
+        type ld_so_cache_t;
+        type zero_device_t;
+        type snmp_port_t;
 }

 rw_files_pattern(oracle_db_t, oracle_sqlplus_log_t, oracle_sqlplus_log_t)
@@ -37,9 +40,32 @@

 allow oracle_db_t self:process ptrace;

+
+#============= oracle_db_t ==============
+allow oracle_db_t ld_so_cache_t:file execute;
+allow oracle_db_t oracle_db_log_t:file execute;
+allow oracle_db_t tmpfs_t:file execute;
+allow oracle_db_t zero_device_t:chr_file execute;
+
+#============= oracle_lsnrctl_t ==============
+allow oracle_lsnrctl_t oracle_tnslsnr_t:process { siginh rlimitinh noatsecure };
+
+#============= oracle_sqlplus_t ==============
+allow oracle_sqlplus_t oracle_db_t:process { siginh rlimitinh noatsecure };
+
+#============= oracle_tnslsnr_t ==============
+allow oracle_tnslsnr_t http_cache_port_t:tcp_socket name_bind;
+
+#!!!! This avc can be allowed using one of the these booleans:
+#     nis_enabled, oracle_snmp_support
+allow oracle_tnslsnr_t snmp_port_t:tcp_socket name_connect;
+
+
+
 term_dontaudit_use_console(oracle_db_t)
 term_dontaudit_use_console(oracle_tnslsnr_t)


# make -f /usr/share/selinux/devel/Makefile -B
/usr/share/selinux/devel/include/kernel/corenetwork.if:74576: Error: duplicate definition of corenet_tcp_sendrecv_oracle_port(). Original definition on 183.
/usr/share/selinux/devel/include/kernel/corenetwork.if:74704: Error: duplicate definition of corenet_tcp_bind_oracle_port(). Original definition on 207.
/usr/share/selinux/devel/include/kernel/corenetwork.if:74763: Error: duplicate definition of corenet_tcp_connect_oracle_port(). Original definition on 231.
/usr/share/selinux/devel/include/kernel/corenetwork.if:105980: Error: duplicate definition of corenet_dontaudit_tcp_connect_snmp_port(). Original definition on 255.
Compiling targeted oracle-xe module
oracle-xe.te:43: Warning: mcs_ptrace_all() has been deprecated, please remove mcs_constrained() instead.
oracle-xe.te:55: Warning: corecmd_exec_ls() has been deprecated, please use corecmd_exec_bin() instead.
/usr/bin/checkmodule:  loading policy configuration from tmp/oracle-xe.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/oracle-xe.mod
Creating targeted oracle-xe.pp policy package
rm tmp/oracle-xe.mod.fc tmp/oracle-xe.mod
Comment 3 Pavel Studeník 2015-09-02 06:24:44 EDT
*** Bug 1257574 has been marked as a duplicate of this bug. ***
Comment 4 Pavel Studeník 2015-10-16 09:09:12 EDT
Fix in spacewalk 2.4
Comment 5 Eric Herget 2017-09-28 14:11:29 EDT
This BZ closed some time during 2.5, 2.6 or 2.7.  Adding to 2.7 tracking bug.

Note You need to log in before you can comment on or make changes to this bug.