Bug 500328 - {search, read} selinux denials for comm="oracle" dev=proc t_context=unconfined_t tclass={dir, file}
{search, read} selinux denials for comm="oracle" dev=proc t_context=unconfine...
Status: CLOSED DEFERRED
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Red Hat Satellite QA List
:
: 514543 643807 (view as bug list)
Depends On:
Blocks: 462714
  Show dependency treegraph
 
Reported: 2009-05-12 05:57 EDT by Milan Zazrivec
Modified: 2013-04-15 05:53 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-15 05:53:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Zazrivec 2009-05-12 05:57:18 EDT
Description of problem:
Satellite-5.3.0-RHEL5-re20090507.1 on s390x, following selinux denial occurs
at 4:02 AM (the time cron.daily batch is scheduled for):

# grep 'denied.*unconfined_t' /var/log/audit/audit.log 
type=AVC msg=audit(1242115330.286:773): avc:  denied  { search }
for  pid=27271 comm="oracle" name="24997" dev=proc ino=1638203394
scontext=root:system_r:oracle_db_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=dir
type=AVC msg=audit(1242115330.286:773): avc:  denied  { read }
for  pid=27271 comm="oracle" name="stat" dev=proc ino=1638203405
scontext=root:system_r:oracle_db_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=file

Version-Release number of selected component (if applicable):
oracle-instantclient-selinux-10.2-9.1.el5sat
oracle-nofcontext-selinux-0.1-23.8.1.el5sat
oracle-rhnsat-selinux-10.2-11.1.el5sat
spacewalk-selinux-0.5.4-2.el5sat

How reproducible:
Always

Steps to Reproduce:
1. Install Satellite 5.3.0 with EmbeddedDB on RHEL-5, selinux enabled
2. Have it run overnight (or have it arranged so that cron.daily batch
   is run)
3. Watch /var/log/audit/audit.log
  
Actual results:
SELinux denials.

Expected results:
No denials.

Additional info:
# date -d @1242115330
Tue May 12 04:02:10 EDT 2009
# grep daily /etc/crontab 
02 4 * * * root run-parts /etc/cron.daily
# ls -Z /etc/cron.daily/
-rwxr-xr-x  root root system_u:object_r:bin_t          0anacron
lrwxrwxrwx  root root system_u:object_r:etc_t          0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
-rwxr-xr-x  root root system_u:object_r:bin_t          check-oracle-space-usage.sh
-rwxr-xr-x  root root system_u:object_r:bin_t          cups
-rwxr-xr-x  root root system_u:object_r:bin_t          logrotate
-rwxr-xr-x  root root system_u:object_r:bin_t          makewhatis.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          mlocate.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          prelink
-rwxr-xr-x  root root system_u:object_r:bin_t          rhn-ssl-cert-check
-rwxr-xr-x  root root system_u:object_r:bin_t          rpm
-rwxr-xr-x  root root system_u:object_r:bin_t          tmpwatch
Comment 1 Jan Pazdziora 2009-05-26 06:00:16 EDT
This looks like oracle is listing /proc and finds this user_u process there. However, it's hard to say why it's doing so and why we should allow this. Next time it will find something else in /proc and want to search/read that one.

Milan, are we able to say what the process 24997 was? I understand the situation is not completely deterministic and you did not see this AVC denial since May 12.

In any case, I prefer not fix this one (now) because it would not really buy us anything (except cleaner audit.log).
Comment 2 Jan Pazdziora 2009-05-29 07:29:04 EDT
Milan was able to see the error again on non-s390x machine. The process which was scanning the /proc was ora_pmon_rhnsat, and again, it was reported during 4:02 time frame, when daily cron jobs are generally run.
Comment 4 Miroslav Suchý 2009-06-09 12:43:22 EDT
I was trying to reproduce and was unable to do.
I think this message can be ignored from our POV. 
But rather then closing with wontfix or notabug, I suggest to punt it to later release and see if we can do something with selinux and user proceses.
Comment 5 Miroslav Suchý 2009-07-23 05:36:40 EDT
Giving back to Jan as he knows more about SElinux.
Comment 6 Jan Pazdziora 2009-07-30 11:05:14 EDT
*** Bug 514543 has been marked as a duplicate of this bug. ***
Comment 8 Jan Hutař 2013-03-11 07:19:13 EDT
*** Bug 643807 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.