Bug 493629 - SELinux AVC when installing latest nightly
SELinux AVC when installing latest nightly
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Petr Sklenar
:
Depends On:
Blocks: 457079 488699
  Show dependency treegraph
 
Reported: 2009-04-02 09:07 EDT by Jan Hutař
Modified: 2009-09-10 15:12 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Hutař 2009-04-02 09:07:24 EDT
Description of problem:
When I try to install latest nightly, I'm getting SELinux AVCs.


Version-Release number of selected component (if applicable):
Satellite-5.3.0-RHEL5-re20090327.0


How reproducible:
always


Steps to Reproduce:
1. install satellite SELinux in enforcing mode


Actual results:
type=AVC msg=audit(1238569702.441:122): avc:  denied  { getattr } for  pid=27565 comm="osa-dispatcher" path="/etc/tnsnames.ora" dev=dm-0 ino=17368845 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


Expected results:
no AVCs


Additional info:
Complete log: http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=52893
Links to the AVC logs (see "Binary Logs:" section):
i386: http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=7482488
x86_64: http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=7482509
Comment 1 Jan Pazdziora 2009-04-06 09:13:37 EDT
Is this embedded db ISO or external database?

Did the /etc/tnsnames.ora possibly exist on the system before you started the installation?

What will

   # restorecon -nvv /etc/tnsnames.ora

say?

What does

   # ls -dZ /

say?
Comment 2 Jan Hutař 2009-04-07 02:39:17 EDT
(In reply to comment #1)
> Is this embedded db ISO or external database?

This is embedded DB.

> Did the /etc/tnsnames.ora possibly exist on the system before you started the
> installation?

This was new installation of RHEL5-Server-U3, so no.

> What will
> 
>    # restorecon -nvv /etc/tnsnames.ora
> 
> say?
> 
> What does
> 
>    # ls -dZ /
> 
> say?  

These systems were already returned to the RHTS pool (and reinstalled and so on), but I can try to recreate the situation if you want.
Comment 3 Jan Pazdziora 2009-04-07 04:30:42 EDT
(In reply to comment #2)
> These systems were already returned to the RHTS pool (and reinstalled and so
> on), but I can try to recreate the situation if you want.  

That'd be great. Thanks.
Comment 7 Jan Pazdziora 2009-04-15 03:23:56 EDT
OK, putting ON_QA.
Comment 8 Petr Sklenar 2009-06-26 14:24:18 EDT
verified;
rhts tests seem sane with last built of Satellite 5.3.0 - 20090623.0 

RHEL4: 
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=68860
RHEL5:
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=68862
Comment 9 Petr Sklenar 2009-06-26 14:32:38 EDT
verified;
manual install on clear x8664 and i386 machines with rhel5 are OK;
tried: Satellite 5.3.0 - 20090623.0
Comment 10 Milan Zazrivec 2009-09-02 07:36:25 EDT
No denials when installing latest stage iso -> RELEASE_PENDING
Comment 11 Brandon Perkins 2009-09-10 15:12:32 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.