Bug 489548 - avc: denied { search } for comm="oracle" name="client" scontext=oracle_db_t tcontext=oracle_tnslsnr_log_t
Summary: avc: denied { search } for comm="oracle" name="client" scontext=oracle_db_t...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Installation
Version: 0.5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Milan Zázrivec
URL:
Whiteboard:
Depends On:
Blocks: 565417 space14
TreeView+ depends on / blocked
 
Reported: 2009-03-10 16:57 UTC by Milan Zázrivec
Modified: 2011-04-26 09:10 UTC (History)
1 user (show)

Fixed In Version: oracle-selinux-0.1.23.26-1 oracle-xe-selinux-10.2.0.20-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-26 09:10:44 UTC
Embargoed:


Attachments (Terms of Use)
part of /var/log/audit/audit.log (675 bytes, text/plain)
2009-03-10 16:57 UTC, Milan Zázrivec
no flags Details

Description Milan Zázrivec 2009-03-10 16:57:59 UTC
Created attachment 334678 [details]
part of /var/log/audit/audit.log

Description of problem:
SELinux denial occurs when installing Spacewalk 0.5 on a SELinux enabled
machine.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-203
oracle-nofcontext-selinux-0.1-23.5
spacewalk-selinux-0.5.2-1
oracle-instantclient-selinux-10.2-7
oracle-xe-selinux-10.2-9

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-5.3, selinux enabled
2. Setup Oracle-XE as documented in
   https://fedorahosted.org/spacewalk/wiki/OracleXeSetup
3. yum install spacewalk
4. spacewalk-setup --disconnected
5. AVC denial occurs right about the time spacewalk-setup prints:
   ** Database: Testing database connection.
  
Actual results:
Attachment

Expected results:
No denial.

Additional info:
N/A

Comment 1 Milan Zázrivec 2009-03-10 17:26:00 UTC
The denial actually shows up even on a running Spacewalk 0.5
(not just during the actual installation).

Comment 2 Jan Pazdziora 2009-04-09 13:35:52 UTC
Milan, was this Permissive or Enforcing?

Comment 3 Milan Zázrivec 2009-04-09 13:46:56 UTC
(In reply to comment #2)
> Milan, was this Permissive or Enforcing?  

Permissive.

Comment 4 Jan Pazdziora 2009-04-10 12:18:11 UTC
The problem was caused by using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle_env.sh in root's/oracle's .bash_profile. In that case, sqlplus and client libraries from Oracle XE rpm instead of those from InstantClient rpm were used.

We've since addressed the issue by removing the recommendation to use/link oracle_env.sh from https://fedorahosted.org/spacewalk/wiki/OracleXeSetup.

On current installations (as of Spacewalk 0.5), the directory /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/log has type oracle_tnslsnr_log_t but stays empty. We might want to change it to oracle_common_log_t should we ever need to support this scenario.

Moving ON_QA with Spacewalk 0.5 and current installation instructions being released.

Comment 5 Jesus M. Rodriguez 2009-04-14 14:13:30 UTC
Spacewalk 0.5 released.

Comment 6 Miroslav Suchý 2009-09-17 07:11:06 UTC
Spacewalk 0.5 has been released for long time ago.

Comment 7 Jan Pazdziora 2011-04-06 07:38:22 UTC
Reopening, it's still present in Spacewalk 1.3.

Comment 8 Jan Pazdziora 2011-04-06 07:45:25 UTC
The AVC denial is caused by timeout during (say) login and ORA-3136 which the Oracle server tries to log into /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/log/sqlnet.log.

Comment 9 Jan Pazdziora 2011-04-06 08:28:02 UTC
Fixed in Spacewalk master, 85b5cf4d54b389d2ca14c955766265457cf0c47c.

Comment 10 Miroslav Suchý 2011-04-11 07:45:16 UTC
Mass moving to ON_QA before release of Spacewalk 1.4

Comment 11 Miroslav Suchý 2011-04-26 09:10:44 UTC
Spacewalk 1.4 has been released


Note You need to log in before you can comment on or make changes to this bug.