502576 – avc: denied { read write } for comm="tnslsnr" path="/dev/console"

Bug 502576 - avc: denied { read write } for comm="tnslsnr" path="/dev/console"

Summary: avc: denied { read write } for comm="tnslsnr" path="/dev/console"

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	530
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Milan Zázrivec
QA Contact:	wes hayutin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	457079
TreeView+	depends on / blocked

Reported:	2009-05-26 09:01 UTC by Milan Zázrivec
Modified:	2009-09-10 19:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:	sat530
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-10 19:12:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
patch solving the problem (tested) (949 bytes, patch) 2009-05-26 09:01 UTC, Milan Zázrivec	no flags	Details \| Diff
View All

Description Milan Zázrivec 2009-05-26 09:01:56 UTC

Created attachment 345410 [details]
patch solving the problem (tested)

Description of problem:
* Satellite-5.3.0-RHEL5-re20090521.1 installation as a xen guest
* selinux denial occurs when oracle server starts and console is attached
to the guest system (xm console $yourguest)

Version-Release number of selected component (if applicable):
oracle-server-i386-10.2.0.4-49

How reproducible:
Always

Steps to Reproduce:
1. Install Satellite 5.3.0, embedded db variant on RHEL5 as a xen guest
2. Restart your satellite
3. From inside xen host, during guest startup do # xm console yourguest
4. # grep denied /var/log/audit/audit.log
  
Actual results:
# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1243328807.645:11): avc:  denied  { read write }
for  pid=1364 comm="tnslsnr" path="/dev/console" dev=tmpfs ino=560
scontext=system_u:system_r:oracle_tnslsnr_t:s0
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

Expected results:
No denial

Additional info:
N/A

Comment 1 Milan Zázrivec 2009-05-27 08:41:14 UTC

thirdparty.git:

e4207abfcb77ac538dcd51bb359025dc895b9131
d19452f1cbfad708a84706b93249a8424f3b146e
c5760b8629bbdbe839c10b60922d85279c631f2b
640e347c0231d11be2bebda1319c2dc0db8c467c
a07b001c7c582b1774d42686012ee795a752f7d3

tagged:
oracle-server-i386-10.2.0.4-51
oracle-server-s390x-10.2.0.4-51
oracle-server-x86_64-10.2.0.4-51

Comment 2 Milan Zázrivec 2009-05-30 08:30:29 UTC

oracle-server-i386-10.2.0.4-54

Comment 3 wes hayutin 2009-06-02 13:07:56 UTC

verified 5/29

Comment 4 Jan Pazdziora 2009-09-02 13:23:06 UTC

With Satellite-5.3.0-RHEL5-re20090820.1, no AVC denial while I had xm console ad-530-gold running in one terminal and did service oracle start in another. Stage verified -> RELEASE_PENDING.

Comment 5 Brandon Perkins 2009-09-10 19:12:48 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.