495869 – SELinux denial when running spacewalk-schema-upgrade

Bug 495869 - SELinux denial when running spacewalk-schema-upgrade

Summary: SELinux denial when running spacewalk-schema-upgrade

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Upgrades
Sub Component:
Version:	530
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan Pazdziora
QA Contact:	Jeff Browning
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	456986 457079
TreeView+	depends on / blocked

Reported:	2009-04-15 09:28 UTC by Milan Zázrivec
Modified:	2009-08-27 17:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:	sat530
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-08-27 17:38:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
part of audit.log (selinux permissive) (285 bytes, text/plain) 2009-04-15 09:28 UTC, Milan Zázrivec	no flags	Details
View All

Description Milan Zázrivec 2009-04-15 09:28:01 UTC

Created attachment 339658 [details]
part of audit.log (selinux permissive)

Description of problem:
Running spacewalk-schema-upgrade script with SELinux enabled gives a denial.

Version-Release number of selected component (if applicable):
oracle-instantclient-selinux-10.2-8
oracle-nofcontext-selinux-0.1-23.6
oracle-rhnsat-selinux-10.2-10
spacewalk-selinux-0.5.3-1

How reproducible:
Always

Steps to Reproduce:
1. Install Satelite 5.2.0 on RHEL-5, selinux enabled (permissive at least)
2. Install rhn-upgrade, run upgrade to 5.3.0
3. One of the upgrade steps involves running spacewalk-schema-upgrade script
  
Actual results:
See attachment.

Expected results:
No denial.

Additional info:
N/A

Comment 1 Jan Pazdziora 2009-04-21 12:54:59 UTC

Fixed in Spacewalk repo, master and VADER branches; commits 9d63b6a900279c8efb6be60bfdbffd791a59a7f6 and 50f689b774db03181ecd57adf9e6cc893a1d44c2 in VADER.

Comment 2 Jan Pazdziora 2009-04-27 13:12:49 UTC

Packages spacewalk-selinux-0.5.3-2.el5sat and spacewalk-schema-0.5.20-8.el5sat are on compose Satellite-5.3.0-RHEL5-re20090424.1, moving ON_QA.

Comment 3 Jeff Browning 2009-07-07 18:44:01 UTC

No SELinux denials encountered during the upgrade process from 520 to 530.

Verified.

Comment 4 Miroslav Suchý 2009-08-27 09:47:15 UTC

after upgrade I got in audit.log only
[root@xen15 ~]# grep denied /var/log/audit/audit.log |grep sqlplus
type=AVC msg=audit(1251295477.026:1205): avc:  denied  { search } for  pid=21841 comm="sqlplus" name="Satellite-5.3.0-RHEL5-re20090820.1-x86_64" dev=0:17 ino=3458192 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1251295477.070:1206): avc:  denied  { search } for  pid=21841 comm="sqlplus" name="mnt" dev=xvda1 ino=281953 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=AVC msg=audit(1251296580.263:1214): avc:  denied  { search } for  pid=21841 comm="sqlplus" name="Satellite-5.3.0-RHEL5-re20090820.1-x86_64" dev=0:17 ino=3458192 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

which may be leaked screen file descriptors. but the message in #0 is definitely not there. 
verified in stage on xen15

Comment 5 Brandon Perkins 2009-08-27 17:38:22 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1235.html

Note You need to log in before you can comment on or make changes to this bug.