Bug 496034 - AVC when syncing channel
AVC when syncing channel
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Michael Mráka
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-04-16 04:19 EDT by Jan Hutař
Modified: 2009-09-10 15:12 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Hutař 2009-04-16 04:19:24 EDT
Description of problem:
While syncing the channels to the satellite from the dump mounted over the NFS, I got this AVC.


Version-Release number of selected component (if applicable):
Satellite-5.3.0-RHEL5-re20090413.0


How reproducible:
on both i386 and x86_64


Steps to Reproduce:
1. runcon  -u root -r system_r -t unconfined_t -l s0 -- satellite-sync --mount-point=/tmp/mount-C23270  -c rhel-x86_64-server-5


Actual results:
time->Tue Apr 14 07:50:14 2009
type=SYSCALL msg=audit(1239709814.058:121): arch=c000003e syscall=10 success=no exit=-13 a0=2b9a9936d000 a1=e6000 a2=5 a3=2b9a99374400 items=0 ppid=9851 pid=12778 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ld-linux-x86-64" exe="/lib64/ld-2.5.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1239709814.058:121): avc:  denied  { execmod } for  pid=12778 comm="ld-linux-x86-64" path="/usr/lib/oracle/10.2.0.4/client64/lib/libsqlplus.so" dev=dm-0 ino=7170515 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file


Expected results:
no AVC


Additional info:
Now I'm using runcon in the RHTS test (for both satellite installation and channel syncing), so this should be a real bug.

Relevant part (just guessing from the AVC's timestamp) of the log is:

07:23:27     6693/6693 Extinct package:  crash-devel-4.0-7.2.3.el5_3.1.x86_64.rpm
07:23:27 Processing rpm packages complete
07:23:27 No handler for step srpms
07:23:27 
07:23:27 Downloading package metadata
07:23:28    Retrieving / parsing *relevant* package metadata: rhel-x86_64-server-5 (6693)
07:23:28    * WARNING: this may be a slow process.
            ________________________________________
Downloading:#
MARK-LWD-LOOP -- 2009-04-14 07:25:00 --
######
MARK-LWD-LOOP -- 2009-04-14 07:30:00 --
#######
MARK-LWD-LOOP -- 2009-04-14 07:35:00 --
#####
MARK-LWD-LOOP -- 2009-04-14 07:40:00 --
####
MARK-LWD-LOOP -- 2009-04-14 07:45:00 --
#####
MARK-LWD-LOOP -- 2009-04-14 07:50:00 --
######
MARK-LWD-LOOP -- 2009-04-14 07:54:59 --
###
MARK-LWD-LOOP -- 2009-04-14 07:59:59 --
### - complete
08:01:39 
08:01:39 Downloading errata data
08:01:39    Retrieving / parsing errata data: rhel-x86_64-server-5 (929)
            ________________________________________
Downloading:######################################## - complete
08:03:33 Downloading errata data complete


Full log:
http://rhts.redhat.com/testlogs/54382/182662/1525646/TESTOUT.log

RHTS job:
http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=54382
Comment 1 Jan Pazdziora 2009-04-21 09:08:05 EDT
Jan, the AVC shows that the type of /usr/lib/oracle/10.2.0.4/client64/lib/libsqlplus.so is lib_t. And the same for i386's /usr/lib/oracle/10.2.0.4/client/lib/libsqlplus.so, as seen on http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=7672631

This is strange because Satellite-5.3.0-RHEL5-re20090413.0 has oracle-instantclient-selinux-10.2-8.el5sat.noarch.rpm on it and

rpm -q --scripts oracle-instantclient-selinux-10.2-8.el5sat

shows that we set the fcontext to textrel_shlib_t. Indeed, on my fresh Satellite installation, I have

# ls -laZ /usr/lib/oracle/10.2.0.4/client/lib/libsqlplus.so
-rwxr-xr-x  root root system_u:object_r:textrel_shlib_t /usr/lib/oracle/10.2.0.4/client/lib/libsqlplus.so

So we'd need to get the output of the above ls -lZ output on your test machines because you shouldn't really have gotten yourself to that situation. Can you get the type of that libsqlplus.so?
Comment 2 Jan Pazdziora 2009-04-30 07:37:40 EDT
Actually, this was a bug -- the libsqlplus.so was not yet installed when we've run the restorecon on it.

Fixed in Spacewalk repo, master 04aaae7f4a8c2dd3883a36426ee4524287655c00 oracle-instantclient-selinux-10.2-10, and VADER d10ebc92bf4cc925f71d9b1a276c01b5059e08e6.
Comment 3 Jan Pazdziora 2009-05-04 04:00:34 EDT
Package oracle-instantclient-selinux-10.2-10 (or the change thereof) did not make it to Satellite-5.3.0-RHEL5-re20090501.1 ISO.
Comment 4 Jan Pazdziora 2009-05-04 08:45:04 EDT
ISO Satellite-5.3.0-RHEL5-re20090501.1 still only has oracle-instantclient-selinux-10.2-9.el5sat.noarch.rpm.
Comment 5 Jan Pazdziora 2009-05-11 05:38:24 EDT
(In reply to comment #2)
> Actually, this was a bug -- the libsqlplus.so was not yet installed when we've
> run the restorecon on it.

But that should not matter for the textrel_shlib_t issue -- the fcontext should have already been loaded by the SELinux rpm, so even if the libsqlplus.so is installed later, it should get the correct context.

The execstack issue is a different issue though.
Comment 6 Jan Pazdziora 2009-05-11 09:09:49 EDT
The sqlplus-specific part of oracle-instantclient-selinux was now moved to oracle-instantclient-sqlplus-selinux, which is now required by spacewalk-selinux.
Comment 7 Jan Pazdziora 2009-05-21 04:25:53 EDT
With compose Satellite-5.3.0-RHEL5-re20090520.0 available, moving ON_QA.
Comment 8 Jan Hutař 2009-05-29 03:05:55 EDT
VERIFIED with 20090521.1 on RHEL5 x86_64 in Enforcing.

https://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=61408
Comment 9 Milan Zázrivec 2009-09-02 08:10:41 EDT
Verified in stage -> RELEASE_PENDING
Comment 10 Brandon Perkins 2009-09-10 15:12:35 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.