Bug 488699 - AVCs during 20090227.1 installation
AVCs during 20090227.1 installation
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Jan Hutař
Depends On: 493629
Blocks: 457079
  Show dependency treegraph
Reported: 2009-03-05 04:40 EST by Jan Hutař
Modified: 2009-09-10 15:12 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-10 15:12:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log (also processed by audit2allow and audit2why) (59.58 KB, application/octet-stream)
2009-03-05 04:40 EST, Jan Hutař
no flags Details

  None (edit)
Description Jan Hutař 2009-03-05 04:40:51 EST
Created attachment 334114 [details]
audit.log (also processed by audit2allow and audit2why)

Description of problem:
During Satellite-5.3.0-RHEL5-re20090227.1/i386 installation on RHEL5-Server-U3 some AVCs appeared in the audit.log.

Version-Release number of selected component (if applicable):

How reproducible:
probably always

Steps to Reproduce:
1. /mnt/redhat/devel/candidate-trees/Satellite-5.3.0-RHEL5-re20090227.1/i386/i386//install.pl --answer-file=/mnt/tests/CoreOS/RHN-Satellite/Installer/Sanity/install/answers.txt --non-interactive --disconnected --run-updater

Actual results:
#============= load_policy_t ==============
allow load_policy_t initrc_t:fifo_file write;

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t etc_runtime_t:file { read getattr };
allow oracle_sqlplus_t nfs_t:dir search;

#============= oracle_tnslsnr_t ==============
allow oracle_tnslsnr_t initrc_t:fifo_file { read write };

#============= osa_dispatcher_t ==============
allow osa_dispatcher_t etc_runtime_t:file { read getattr };

#============= setfiles_t ==============
allow setfiles_t rpm_script_t:fifo_file write;

#============= spacewalk_monitoring_t ==============
allow spacewalk_monitoring_t initrc_t:fifo_file { read write ioctl getattr };

Expected results:
no AVCs

Additional info:
noted in RHTS job:
Comment 1 Jan Pazdziora 2009-04-06 08:51:23 EDT
The load_policy_t and setfiles_t issues addressed in 4ac8e4589ccef0d1b54236d7096f030fca4b5244.

The spacewalk_monitoring_t initrc_t:fifo_file addressed in 883d0398abac9155216864c8e62cfd4e6ec39a55.

The oracle_sqlplus_t nfs_t:dir search issue -- I am not exactly sure where it comes from.

The oracle_tnslsnr_t initrc_t:fifo_file -- again, not exactly sure.

The etc_runtime_t is strange -- I never saw /etc/tnsnames.ora created with this type.

I just tried installation of Satellite-5.3.0-RHEL5-re20090403.2 on i386 and reboot and did not get any AVCs.
Comment 2 Jan Pazdziora 2009-04-10 08:52:17 EDT
As also noted in bug 493629, the etc_runtime_t AVC denial seems to be caused by the way the RHTS automation tests are started -- as initrc_t, not as unconfined_t.
Comment 3 Jan Pazdziora 2009-04-10 08:54:27 EDT
The other AVC denials were either addressed or I was not able to reproduce them. Moving to MODIFIED for now, as soon as RHTS is changed to run ./install.pl as unconfined_t, we should be able to move ON_QA to re-test.
Comment 4 Jan Pazdziora 2009-04-15 03:25:20 EDT
Moving ON_QA, as Jan H. noted in bug 493629 comment 6 that RHTS now uses runcon.
Comment 5 Jan Hutař 2009-04-16 08:34:36 EDT
Thanks to jpazdziora I have fixed the test and now satellite installs correctly, closing this one.
Comment 6 Jan Pazdziora 2009-04-16 09:23:03 EDT
Could you make the bugzilla VERIFIED then? We don't want this issue to disappear in the NOTABUG pile as the problem might reappear and by having it not CLOSED, it will be more visible.
Comment 7 Jan Hutař 2009-04-17 03:13:29 EDT
Sorry, done.
Comment 8 Milan Zázrivec 2009-09-02 07:32:28 EDT
Verified with last stage iso, no denials -> RELEASE_PENDING
Comment 9 Brandon Perkins 2009-09-10 15:12:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.