Bug 500328 - {search, read} selinux denials for comm="oracle" dev=proc t_context=unconfined_t tclass={dir, file}
Summary: {search, read} selinux denials for comm="oracle" dev=proc t_context=unconfine...
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 530
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora (Red Hat)
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
: 514543 643807 (view as bug list)
Depends On:
Blocks: 462714
TreeView+ depends on / blocked
 
Reported: 2009-05-12 09:57 UTC by Milan Zázrivec
Modified: 2013-04-15 09:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-15 09:53:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Milan Zázrivec 2009-05-12 09:57:18 UTC
Description of problem:
Satellite-5.3.0-RHEL5-re20090507.1 on s390x, following selinux denial occurs
at 4:02 AM (the time cron.daily batch is scheduled for):

# grep 'denied.*unconfined_t' /var/log/audit/audit.log 
type=AVC msg=audit(1242115330.286:773): avc:  denied  { search }
for  pid=27271 comm="oracle" name="24997" dev=proc ino=1638203394
scontext=root:system_r:oracle_db_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=dir
type=AVC msg=audit(1242115330.286:773): avc:  denied  { read }
for  pid=27271 comm="oracle" name="stat" dev=proc ino=1638203405
scontext=root:system_r:oracle_db_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=file

Version-Release number of selected component (if applicable):
oracle-instantclient-selinux-10.2-9.1.el5sat
oracle-nofcontext-selinux-0.1-23.8.1.el5sat
oracle-rhnsat-selinux-10.2-11.1.el5sat
spacewalk-selinux-0.5.4-2.el5sat

How reproducible:
Always

Steps to Reproduce:
1. Install Satellite 5.3.0 with EmbeddedDB on RHEL-5, selinux enabled
2. Have it run overnight (or have it arranged so that cron.daily batch
   is run)
3. Watch /var/log/audit/audit.log
  
Actual results:
SELinux denials.

Expected results:
No denials.

Additional info:
# date -d @1242115330
Tue May 12 04:02:10 EDT 2009
# grep daily /etc/crontab 
02 4 * * * root run-parts /etc/cron.daily
# ls -Z /etc/cron.daily/
-rwxr-xr-x  root root system_u:object_r:bin_t          0anacron
lrwxrwxrwx  root root system_u:object_r:etc_t          0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
-rwxr-xr-x  root root system_u:object_r:bin_t          check-oracle-space-usage.sh
-rwxr-xr-x  root root system_u:object_r:bin_t          cups
-rwxr-xr-x  root root system_u:object_r:bin_t          logrotate
-rwxr-xr-x  root root system_u:object_r:bin_t          makewhatis.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          mlocate.cron
-rwxr-xr-x  root root system_u:object_r:bin_t          prelink
-rwxr-xr-x  root root system_u:object_r:bin_t          rhn-ssl-cert-check
-rwxr-xr-x  root root system_u:object_r:bin_t          rpm
-rwxr-xr-x  root root system_u:object_r:bin_t          tmpwatch

Comment 1 Jan Pazdziora (Red Hat) 2009-05-26 10:00:16 UTC
This looks like oracle is listing /proc and finds this user_u process there. However, it's hard to say why it's doing so and why we should allow this. Next time it will find something else in /proc and want to search/read that one.

Milan, are we able to say what the process 24997 was? I understand the situation is not completely deterministic and you did not see this AVC denial since May 12.

In any case, I prefer not fix this one (now) because it would not really buy us anything (except cleaner audit.log).

Comment 2 Jan Pazdziora (Red Hat) 2009-05-29 11:29:04 UTC
Milan was able to see the error again on non-s390x machine. The process which was scanning the /proc was ora_pmon_rhnsat, and again, it was reported during 4:02 time frame, when daily cron jobs are generally run.

Comment 4 Miroslav Suchý 2009-06-09 16:43:22 UTC
I was trying to reproduce and was unable to do.
I think this message can be ignored from our POV. 
But rather then closing with wontfix or notabug, I suggest to punt it to later release and see if we can do something with selinux and user proceses.

Comment 5 Miroslav Suchý 2009-07-23 09:36:40 UTC
Giving back to Jan as he knows more about SElinux.

Comment 6 Jan Pazdziora (Red Hat) 2009-07-30 15:05:14 UTC
*** Bug 514543 has been marked as a duplicate of this bug. ***

Comment 8 Jan Hutař 2013-03-11 11:19:13 UTC
*** Bug 643807 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.