Red Hat Bugzilla – Bug 500328
{search, read} selinux denials for comm="oracle" dev=proc t_context=unconfined_t tclass={dir, file}
Last modified: 2013-04-15 05:53:03 EDT
Description of problem: Satellite-5.3.0-RHEL5-re20090507.1 on s390x, following selinux denial occurs at 4:02 AM (the time cron.daily batch is scheduled for): # grep 'denied.*unconfined_t' /var/log/audit/audit.log type=AVC msg=audit(1242115330.286:773): avc: denied { search } for pid=27271 comm="oracle" name="24997" dev=proc ino=1638203394 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=dir type=AVC msg=audit(1242115330.286:773): avc: denied { read } for pid=27271 comm="oracle" name="stat" dev=proc ino=1638203405 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=file Version-Release number of selected component (if applicable): oracle-instantclient-selinux-10.2-9.1.el5sat oracle-nofcontext-selinux-0.1-23.8.1.el5sat oracle-rhnsat-selinux-10.2-11.1.el5sat spacewalk-selinux-0.5.4-2.el5sat How reproducible: Always Steps to Reproduce: 1. Install Satellite 5.3.0 with EmbeddedDB on RHEL-5, selinux enabled 2. Have it run overnight (or have it arranged so that cron.daily batch is run) 3. Watch /var/log/audit/audit.log Actual results: SELinux denials. Expected results: No denials. Additional info: # date -d @1242115330 Tue May 12 04:02:10 EDT 2009 # grep daily /etc/crontab 02 4 * * * root run-parts /etc/cron.daily # ls -Z /etc/cron.daily/ -rwxr-xr-x root root system_u:object_r:bin_t 0anacron lrwxrwxrwx root root system_u:object_r:etc_t 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl -rwxr-xr-x root root system_u:object_r:bin_t check-oracle-space-usage.sh -rwxr-xr-x root root system_u:object_r:bin_t cups -rwxr-xr-x root root system_u:object_r:bin_t logrotate -rwxr-xr-x root root system_u:object_r:bin_t makewhatis.cron -rwxr-xr-x root root system_u:object_r:bin_t mlocate.cron -rwxr-xr-x root root system_u:object_r:bin_t prelink -rwxr-xr-x root root system_u:object_r:bin_t rhn-ssl-cert-check -rwxr-xr-x root root system_u:object_r:bin_t rpm -rwxr-xr-x root root system_u:object_r:bin_t tmpwatch
This looks like oracle is listing /proc and finds this user_u process there. However, it's hard to say why it's doing so and why we should allow this. Next time it will find something else in /proc and want to search/read that one. Milan, are we able to say what the process 24997 was? I understand the situation is not completely deterministic and you did not see this AVC denial since May 12. In any case, I prefer not fix this one (now) because it would not really buy us anything (except cleaner audit.log).
Milan was able to see the error again on non-s390x machine. The process which was scanning the /proc was ora_pmon_rhnsat, and again, it was reported during 4:02 time frame, when daily cron jobs are generally run.
I was trying to reproduce and was unable to do. I think this message can be ignored from our POV. But rather then closing with wontfix or notabug, I suggest to punt it to later release and see if we can do something with selinux and user proceses.
Giving back to Jan as he knows more about SElinux.
*** Bug 514543 has been marked as a duplicate of this bug. ***
*** Bug 643807 has been marked as a duplicate of this bug. ***