489377 – SELinux denials starting up and stopping oracle

Bug 489377 - SELinux denials starting up and stopping oracle

Summary: SELinux denials starting up and stopping oracle

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	530
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan Pazdziora
QA Contact:	wes hayutin
Docs Contact:
URL:	na
Whiteboard:
Depends On:
Blocks:	457079 519174
TreeView+	depends on / blocked

Reported:	2009-03-09 18:53 UTC by wes hayutin
Modified:	2009-09-10 19:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:	sat530
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	519174 (view as bug list)
Environment:
Last Closed:	2009-09-10 19:12:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description wes hayutin 2009-03-09 18:53:09 UTC

Description of problem:

Satellite-5.3.0-RHEL5-re20090306.2-i386-embedded-oracle.iso

Referring to bug https://bugzilla.redhat.com/show_bug.cgi?id=483004

retested on the latest build and I'm seeing denials when starting and stopping oracle

type=AVC msg=audit(1236624621.564:1417): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1418): avc:  denied  { name_bind } for  pid=26929 comm="osa-dispatcher" src=820 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1419): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1420): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1421): avc:  denied  { name_bind } for  pid=26929 comm="osa-dispatcher" src=821 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1422): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


[root@grandprix audit]# ps -ef | grep 26929
root     26929     1  0 13:49 pts/0    00:00:00 /usr/bin/python /usr/sbin/osa-dispatcher --pid-file /var/run/osa-dispatcher.pid
root     29573 26456  0 14:52 pts/0    00:00:00 grep 26929
[root@grandprix audit]#

Comment 1 Jan Pazdziora 2009-03-09 19:08:59 UTC

How do you restart that Oracle? (Please, *always* use the full default template when filing new bugzilla.)

I ask because it seems strange that restarting Oracle would generate AVCs from ora-dispatcher, so I wonder if you maybe also restarted osa-dispatcher, or something.

Also, I wonder how exactly this relates to bug 483004 -- that one does not have any name_connect nor name_bind AVCs ...

Comment 2 wes hayutin 2009-03-09 19:26:09 UTC

root@grandprix ~]# service oracle restart
Shutdown Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/shutdown.log
                                                           [  OK  ]
Starting Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/startup.log
                            

type=AVC msg=audit(1236626712.747:1529): avc:  denied  { search } for  pid=31903 comm="sqlplus" name="yp" dev=dm-0 ino=1504428 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1236626712.747:1530): avc:  denied  { node_bind } for  pid=31903 comm="sqlplus" scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236626712.747:1531): avc:  denied  { name_bind } for  pid=31903 comm="sqlplus" src=703 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

Comment 3 Jan Pazdziora 2009-03-16 12:59:40 UTC

Wes, so what were the osa-dispatcher AVC denials in comment 0 about? Do we have bugzilla for those?

Comment 4 wes hayutin 2009-03-16 13:10:20 UTC

There have been two other bugs opened on osa-dispatcher avc denials. One is verified and the other we thought we could close due to the "screen" issue.  For this bug ignore the osa-dispatcher avc denials, and only work w/ the denials in comment #2

Comment 5 Jan Pazdziora 2009-03-16 13:37:55 UTC

But they are NIS-related, aren't they? (I'm happy to keep this bugzilla for oracle/sqlplus NIS-related issues only, I just wouldn't like something to fall through cracks.)

Comment 6 Jan Pazdziora 2009-03-16 13:53:48 UTC

Fix allowing Oracle to use NIS in Spacewalk repo, commit 8e09915ab3c5c2091b85d20401bb27a46d81c5a0.

Comment 7 Jan Pazdziora 2009-03-23 08:35:41 UTC

Tagged as oracle-rhnsat-selinux-10.2-10.

Comment 8 Jan Pazdziora 2009-03-30 09:14:17 UTC

With compose Satellite-5.3.0-RHEL5-re20090327.0 available, moving ON_QA.

Comment 9 wes hayutin 2009-03-30 19:14:32 UTC

no denials when satellite is stopped and oracle is restarted...

no denials when oracle is restarted when satellite is running..

verified

Comment 10 Miroslav Suchý 2009-08-25 14:06:54 UTC

[root@xen5 ~]# getenforce; echo BBBBBBBBB >>/var/log/audit/audit.log; service oracle restart; grep -A 999999999 BBBBBBBBB  /var/log/audit/audit.log |grep denied
Permissive
Shutting down Oracle Net Listener ...                      [  OK  ]
Shutting down Oracle DB instance "rhnsat" ...              [  OK  ]
Starting Oracle Net Listener ...                           [  OK  ]
Starting Oracle DB instance "rhnsat" ...                   [  OK  ]
type=AVC msg=audit(1251208527.650:4609): avc:  denied  { append } for  pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1251208547.839:4610): avc:  denied  { append } for  pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file

Original avc denial do not appear. These two new however appear. I verify this bug and I'm going to clone new bz due this two.

Comment 11 Brandon Perkins 2009-09-10 19:12:20 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.