Bug 498974 - SELinux errors, prevent clients from registering to a sat proxy
SELinux errors, prevent clients from registering to a sat proxy
Status: CLOSED DUPLICATE of bug 497887
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
na
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-05-04 12:06 EDT by wes hayutin
Modified: 2009-05-05 10:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-05 10:01:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
txt selinux errors (6.61 KB, text/plain)
2009-05-04 12:06 EDT, wes hayutin
no flags Details
traceback txt (8.82 KB, text/plain)
2009-05-04 12:25 EDT, wes hayutin
no flags Details
installation-log (359.21 KB, text/plain)
2009-05-05 09:08 EDT, wes hayutin
no flags Details

  None (edit)
Description wes hayutin 2009-05-04 12:06:17 EDT
Created attachment 342328 [details]
txt selinux errors

Description of problem:

sat 4/24.1 build rhel 5, proxy 5.3 webui installer , rhel 5 client proxy


recreate
1. register rhel 5 client
2. install w/ webui proxy 5.3
3. tail the audit.log during the install 
notice everything is working, w/ success messages

right when the install finishes.. you get the following selinux errors..
Comment 1 wes hayutin 2009-05-04 12:11:42 EDT
these selinux errors cause a failure in client registration..

[root@dhcp77-132 rhn]# rhnreg_ks --username=admin --pass=dog8code --serverUrl=http://dhcp77-103.rhndev.redhat.com/XMLRPC --force --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT 
An error has occurred:

Error Message:
    RHN Proxy error (auth caching issue). Please contact your system administrator.
Error Class Code: 1000
Error Class Info: RHN Proxy error.
Explanation: 
     An error has occurred while processing your request. If this problem
     persists please enter a bug report at bugzilla.redhat.com.
     If you choose to submit the bug report, please be sure to include
     details of what you were trying to do when this error occurred and
     details on how to reproduce this problem.



turn selinux to permissive on the server...

[root@dhcp77-132 rhn]# rhnreg_ks --username=admin --pass=dog8code --serverUrl=http://dhcp77-103.rhndev.redhat.com/XMLRPC --force --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT 
[root@dhcp77-132 rhn]# 

and registration works
Comment 2 wes hayutin 2009-05-04 12:15:34 EDT
may be dupe
https://bugzilla.redhat.com/show_bug.cgi?id=497887
Comment 3 wes hayutin 2009-05-04 12:25:28 EDT
Created attachment 342330 [details]
traceback txt
Comment 4 Jan Pazdziora 2009-05-05 08:38:09 EDT
The SELinux output shows that the type (tcontext) of /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so is lib_t, not textrel_shlib_t as it should be. Since the file is owned by oracle-instantclient-basic-10.2.0-36.el5sat.i386.rpm and oracle-instantclient-basic is Required by oracle-instantclient-selinux, I wonder how the file ended up mis-labeled.

Can you confirm that the package version is oracle-instantclient-selinux-10.2-8.el5sat.noarch.rpm?

Is there anything suspicious in rhn-installation.log?

What does

restorecon -nvv /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so

report?
Comment 5 wes hayutin 2009-05-05 09:06:27 EDT
[root@grandprix audit]# rpm -q oracle-instantclient-selinux
oracle-instantclient-selinux-10.2-8.el5sat
[root@grandprix audit]# 

[root@grandprix audit]# restorecon -nvv /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so
Comment 6 wes hayutin 2009-05-05 09:07:07 EDT
restorecon -nvv [root@grandprix audit]# restorecon -nvv /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so  returned no output.
Comment 7 wes hayutin 2009-05-05 09:08:16 EDT
Created attachment 342455 [details]
installation-log
Comment 8 Jan Pazdziora 2009-05-05 09:17:43 EDT
So I also assume that

# ls -lZ /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so

shows textrel_shlib_t, not lib_t, right? As the installation log shows that the type was set to textrel_shlib_t.

Are you sure that you see the execmod on /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so errors shows in the initial attachment for the RHN Proxy activation and client registration? Because they are reported by scheduleEvents and kernel.pl, which is monitoring ...

And besides, they suggest that the type of that libnnz10.so file is lib_t, which does not seem to be the case here. Aren't the AVC denials some older stuff?
Comment 9 wes hayutin 2009-05-05 09:45:10 EDT
[root@grandprix audit]# ls -lZ /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so
-rwxr-xr-x  root root system_u:object_r:textrel_shlib_t /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so
[root@grandprix audit]#
Comment 10 Jan Pazdziora 2009-05-05 10:01:18 EDT
In this case, the AVC denials from attachment 342328 [details] are not related to the activation / registration issues you see.

My closest guess would be that this is duplicate of bug 497887.

*** This bug has been marked as a duplicate of bug 497887 ***

Note You need to log in before you can comment on or make changes to this bug.