Description of problem: Satellite-5.3.0-RHEL5-re20090306.2-i386-embedded-oracle.iso Referring to bug https://bugzilla.redhat.com/show_bug.cgi?id=483004 retested on the latest build and I'm seeing denials when starting and stopping oracle type=AVC msg=audit(1236624621.564:1417): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1418): avc: denied { name_bind } for pid=26929 comm="osa-dispatcher" src=820 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1419): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1420): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1421): avc: denied { name_bind } for pid=26929 comm="osa-dispatcher" src=821 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1422): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket [root@grandprix audit]# ps -ef | grep 26929 root 26929 1 0 13:49 pts/0 00:00:00 /usr/bin/python /usr/sbin/osa-dispatcher --pid-file /var/run/osa-dispatcher.pid root 29573 26456 0 14:52 pts/0 00:00:00 grep 26929 [root@grandprix audit]#
How do you restart that Oracle? (Please, *always* use the full default template when filing new bugzilla.) I ask because it seems strange that restarting Oracle would generate AVCs from ora-dispatcher, so I wonder if you maybe also restarted osa-dispatcher, or something. Also, I wonder how exactly this relates to bug 483004 -- that one does not have any name_connect nor name_bind AVCs ...
root@grandprix ~]# service oracle restart Shutdown Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/shutdown.log [ OK ] Starting Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/startup.log type=AVC msg=audit(1236626712.747:1529): avc: denied { search } for pid=31903 comm="sqlplus" name="yp" dev=dm-0 ino=1504428 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir type=AVC msg=audit(1236626712.747:1530): avc: denied { node_bind } for pid=31903 comm="sqlplus" scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket type=AVC msg=audit(1236626712.747:1531): avc: denied { name_bind } for pid=31903 comm="sqlplus" src=703 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
Wes, so what were the osa-dispatcher AVC denials in comment 0 about? Do we have bugzilla for those?
There have been two other bugs opened on osa-dispatcher avc denials. One is verified and the other we thought we could close due to the "screen" issue. For this bug ignore the osa-dispatcher avc denials, and only work w/ the denials in comment #2
But they are NIS-related, aren't they? (I'm happy to keep this bugzilla for oracle/sqlplus NIS-related issues only, I just wouldn't like something to fall through cracks.)
Fix allowing Oracle to use NIS in Spacewalk repo, commit 8e09915ab3c5c2091b85d20401bb27a46d81c5a0.
Tagged as oracle-rhnsat-selinux-10.2-10.
With compose Satellite-5.3.0-RHEL5-re20090327.0 available, moving ON_QA.
no denials when satellite is stopped and oracle is restarted... no denials when oracle is restarted when satellite is running.. verified
[root@xen5 ~]# getenforce; echo BBBBBBBBB >>/var/log/audit/audit.log; service oracle restart; grep -A 999999999 BBBBBBBBB /var/log/audit/audit.log |grep denied Permissive Shutting down Oracle Net Listener ... [ OK ] Shutting down Oracle DB instance "rhnsat" ... [ OK ] Starting Oracle Net Listener ... [ OK ] Starting Oracle DB instance "rhnsat" ... [ OK ] type=AVC msg=audit(1251208527.650:4609): avc: denied { append } for pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1251208547.839:4610): avc: denied { append } for pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file Original avc denial do not appear. These two new however appear. I verify this bug and I'm going to clone new bz due this two.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html