Bug 489548 - avc: denied { search } for comm="oracle" name="client" scontext=oracle_db_t tcontext=oracle_tnslsnr_log_t
avc: denied { search } for comm="oracle" name="client" scontext=oracle_db_t...
Status: CLOSED CURRENTRELEASE
Product: Spacewalk
Classification: Community
Component: Installation (Show other bugs)
0.5
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Milan Zazrivec
: Reopened
Depends On:
Blocks: 565417 space14
  Show dependency treegraph
 
Reported: 2009-03-10 12:57 EDT by Milan Zazrivec
Modified: 2011-04-26 05:10 EDT (History)
1 user (show)

See Also:
Fixed In Version: oracle-selinux-0.1.23.26-1 oracle-xe-selinux-10.2.0.20-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-26 05:10:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
part of /var/log/audit/audit.log (675 bytes, text/plain)
2009-03-10 12:57 EDT, Milan Zazrivec
no flags Details

  None (edit)
Description Milan Zazrivec 2009-03-10 12:57:59 EDT
Created attachment 334678 [details]
part of /var/log/audit/audit.log

Description of problem:
SELinux denial occurs when installing Spacewalk 0.5 on a SELinux enabled
machine.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-203
oracle-nofcontext-selinux-0.1-23.5
spacewalk-selinux-0.5.2-1
oracle-instantclient-selinux-10.2-7
oracle-xe-selinux-10.2-9

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-5.3, selinux enabled
2. Setup Oracle-XE as documented in
   https://fedorahosted.org/spacewalk/wiki/OracleXeSetup
3. yum install spacewalk
4. spacewalk-setup --disconnected
5. AVC denial occurs right about the time spacewalk-setup prints:
   ** Database: Testing database connection.
  
Actual results:
Attachment

Expected results:
No denial.

Additional info:
N/A
Comment 1 Milan Zazrivec 2009-03-10 13:26:00 EDT
The denial actually shows up even on a running Spacewalk 0.5
(not just during the actual installation).
Comment 2 Jan Pazdziora 2009-04-09 09:35:52 EDT
Milan, was this Permissive or Enforcing?
Comment 3 Milan Zazrivec 2009-04-09 09:46:56 EDT
(In reply to comment #2)
> Milan, was this Permissive or Enforcing?  

Permissive.
Comment 4 Jan Pazdziora 2009-04-10 08:18:11 EDT
The problem was caused by using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/oracle_env.sh in root's/oracle's .bash_profile. In that case, sqlplus and client libraries from Oracle XE rpm instead of those from InstantClient rpm were used.

We've since addressed the issue by removing the recommendation to use/link oracle_env.sh from https://fedorahosted.org/spacewalk/wiki/OracleXeSetup.

On current installations (as of Spacewalk 0.5), the directory /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/log has type oracle_tnslsnr_log_t but stays empty. We might want to change it to oracle_common_log_t should we ever need to support this scenario.

Moving ON_QA with Spacewalk 0.5 and current installation instructions being released.
Comment 5 Jesus M. Rodriguez 2009-04-14 10:13:30 EDT
Spacewalk 0.5 released.
Comment 6 Miroslav Suchý 2009-09-17 03:11:06 EDT
Spacewalk 0.5 has been released for long time ago.
Comment 7 Jan Pazdziora 2011-04-06 03:38:22 EDT
Reopening, it's still present in Spacewalk 1.3.
Comment 8 Jan Pazdziora 2011-04-06 03:45:25 EDT
The AVC denial is caused by timeout during (say) login and ORA-3136 which the Oracle server tries to log into /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/log/sqlnet.log.
Comment 9 Jan Pazdziora 2011-04-06 04:28:02 EDT
Fixed in Spacewalk master, 85b5cf4d54b389d2ca14c955766265457cf0c47c.
Comment 10 Miroslav Suchý 2011-04-11 03:45:16 EDT
Mass moving to ON_QA before release of Spacewalk 1.4
Comment 11 Miroslav Suchý 2011-04-26 05:10:44 EDT
Spacewalk 1.4 has been released

Note You need to log in before you can comment on or make changes to this bug.