Created attachment 336524 [details] part of /var/log/audit/audit.log Description of problem: After a fresh installation of Satellite-5.3.0-RHEL5-re20090323.0 on s390x (embedded db variant) several selinux denials show up. Version-Release number of selected component (if applicable): oracle-instantclient-basic-10.2.0-36.el5sat oracle-instantclient-selinux-10.2-7.el5sat oracle-server-s390x-10.2.0.4-23.el5sat How reproducible: Always Steps to Reproduce: 1. Install Satellite 5.3.0 on RHEL 5.3, s390x, embedded db variant 2. After successful installation: grep denied /var/log/audit/audit.log Actual results: See attachment. Expected results: No denials. Additional info: # ldd /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl | grep libclntsh.so libclntsh.so.10.1 => /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 (0x0000020000002000) # ldd /opt/apps/oracle/web/product/10.2.0/db_1/bin/tnslsnr | grep libclntsh.so libclntsh.so.10.1 => /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 (0x0000020000002000) # ldd /opt/apps/oracle/web/product/10.2.0/db_1/bin/sqlplus | grep libclntsh.so libclntsh.so.10.1 => /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 (0x00000200000de000) # execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/bin/tnslsnr - /opt/apps/oracle/web/product/10.2.0/db_1/bin/tnslsnr # execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl - /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl # execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/bin/sqlplus - /opt/apps/oracle/web/product/10.2.0/db_1/bin/sqlplus # execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 X /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1
It seems that the oracle-server-* packages or at least oracle-server-s390x should clear the exestack flag from libclntsh.so.10.1, using something like /usr/bin/execstack -c /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1 which is command that we've been using in oracle-instantclient-selinux's %post script. I could fix it in oracle-rhnsat-selinux but since we are building the oracle-server-s390x package for Satellite ourselves, we might just as well do this during build time. Ergo, reassigning to Michael M.
Oops, now really reassigning to Michael M.
Fixed in thirdparty.git commit 97ff3484742d113df11b97e5122ec2659e2cc2c5 Automatic commit of package [oracle-server-s390x] minor release [10.2.0.4-41]. commit 0325d2d95fa5c2cc40a756da4529243fe2157808 491949 - cleared exestack from libclntsh.so.10.1
Moving ON_QA. Satellite-5.3.0-RHEL?-re20090403.2
Satellite-5.3.0-RHEL5-re20090625.0-s390x-embedded-oracle.iso Verified that after an install none of the execstack or execmem selinux denials initially reported for lsnrctl, tnslsnr or sqlplus were found in the audit.log.
Verified with last stage iso -> RELEASE_PENDING
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html