Description of problem: While syncing the channels to the satellite from the dump mounted over the NFS, I got this AVC. Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090413.0 How reproducible: on both i386 and x86_64 Steps to Reproduce: 1. runcon -u root -r system_r -t unconfined_t -l s0 -- satellite-sync --mount-point=/tmp/mount-C23270 -c rhel-x86_64-server-5 Actual results: time->Tue Apr 14 07:50:14 2009 type=SYSCALL msg=audit(1239709814.058:121): arch=c000003e syscall=10 success=no exit=-13 a0=2b9a9936d000 a1=e6000 a2=5 a3=2b9a99374400 items=0 ppid=9851 pid=12778 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ld-linux-x86-64" exe="/lib64/ld-2.5.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1239709814.058:121): avc: denied { execmod } for pid=12778 comm="ld-linux-x86-64" path="/usr/lib/oracle/10.2.0.4/client64/lib/libsqlplus.so" dev=dm-0 ino=7170515 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file Expected results: no AVC Additional info: Now I'm using runcon in the RHTS test (for both satellite installation and channel syncing), so this should be a real bug. Relevant part (just guessing from the AVC's timestamp) of the log is: 07:23:27 6693/6693 Extinct package: crash-devel-4.0-7.2.3.el5_3.1.x86_64.rpm 07:23:27 Processing rpm packages complete 07:23:27 No handler for step srpms 07:23:27 07:23:27 Downloading package metadata 07:23:28 Retrieving / parsing *relevant* package metadata: rhel-x86_64-server-5 (6693) 07:23:28 * WARNING: this may be a slow process. ________________________________________ Downloading:# MARK-LWD-LOOP -- 2009-04-14 07:25:00 -- ###### MARK-LWD-LOOP -- 2009-04-14 07:30:00 -- ####### MARK-LWD-LOOP -- 2009-04-14 07:35:00 -- ##### MARK-LWD-LOOP -- 2009-04-14 07:40:00 -- #### MARK-LWD-LOOP -- 2009-04-14 07:45:00 -- ##### MARK-LWD-LOOP -- 2009-04-14 07:50:00 -- ###### MARK-LWD-LOOP -- 2009-04-14 07:54:59 -- ### MARK-LWD-LOOP -- 2009-04-14 07:59:59 -- ### - complete 08:01:39 08:01:39 Downloading errata data 08:01:39 Retrieving / parsing errata data: rhel-x86_64-server-5 (929) ________________________________________ Downloading:######################################## - complete 08:03:33 Downloading errata data complete Full log: http://rhts.redhat.com/testlogs/54382/182662/1525646/TESTOUT.log RHTS job: http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=54382
Jan, the AVC shows that the type of /usr/lib/oracle/10.2.0.4/client64/lib/libsqlplus.so is lib_t. And the same for i386's /usr/lib/oracle/10.2.0.4/client/lib/libsqlplus.so, as seen on http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=7672631 This is strange because Satellite-5.3.0-RHEL5-re20090413.0 has oracle-instantclient-selinux-10.2-8.el5sat.noarch.rpm on it and rpm -q --scripts oracle-instantclient-selinux-10.2-8.el5sat shows that we set the fcontext to textrel_shlib_t. Indeed, on my fresh Satellite installation, I have # ls -laZ /usr/lib/oracle/10.2.0.4/client/lib/libsqlplus.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/lib/oracle/10.2.0.4/client/lib/libsqlplus.so So we'd need to get the output of the above ls -lZ output on your test machines because you shouldn't really have gotten yourself to that situation. Can you get the type of that libsqlplus.so?
Actually, this was a bug -- the libsqlplus.so was not yet installed when we've run the restorecon on it. Fixed in Spacewalk repo, master 04aaae7f4a8c2dd3883a36426ee4524287655c00 oracle-instantclient-selinux-10.2-10, and VADER d10ebc92bf4cc925f71d9b1a276c01b5059e08e6.
Package oracle-instantclient-selinux-10.2-10 (or the change thereof) did not make it to Satellite-5.3.0-RHEL5-re20090501.1 ISO.
ISO Satellite-5.3.0-RHEL5-re20090501.1 still only has oracle-instantclient-selinux-10.2-9.el5sat.noarch.rpm.
(In reply to comment #2) > Actually, this was a bug -- the libsqlplus.so was not yet installed when we've > run the restorecon on it. But that should not matter for the textrel_shlib_t issue -- the fcontext should have already been loaded by the SELinux rpm, so even if the libsqlplus.so is installed later, it should get the correct context. The execstack issue is a different issue though.
The sqlplus-specific part of oracle-instantclient-selinux was now moved to oracle-instantclient-sqlplus-selinux, which is now required by spacewalk-selinux.
With compose Satellite-5.3.0-RHEL5-re20090520.0 available, moving ON_QA.
VERIFIED with 20090521.1 on RHEL5 x86_64 in Enforcing. https://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=61408
Verified in stage -> RELEASE_PENDING
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html