Bug 502576 - avc: denied { read write } for comm="tnslsnr" path="/dev/console"
avc: denied { read write } for comm="tnslsnr" path="/dev/console"
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Milan Zázrivec
wes hayutin
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-05-26 05:01 EDT by Milan Zázrivec
Modified: 2009-09-10 15:12 EDT (History)
1 user (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch solving the problem (tested) (949 bytes, patch)
2009-05-26 05:01 EDT, Milan Zázrivec
no flags Details | Diff

  None (edit)
Description Milan Zázrivec 2009-05-26 05:01:56 EDT
Created attachment 345410 [details]
patch solving the problem (tested)

Description of problem:
* Satellite-5.3.0-RHEL5-re20090521.1 installation as a xen guest
* selinux denial occurs when oracle server starts and console is attached
to the guest system (xm console $yourguest)

Version-Release number of selected component (if applicable):
oracle-server-i386-10.2.0.4-49

How reproducible:
Always

Steps to Reproduce:
1. Install Satellite 5.3.0, embedded db variant on RHEL5 as a xen guest
2. Restart your satellite
3. From inside xen host, during guest startup do # xm console yourguest
4. # grep denied /var/log/audit/audit.log
  
Actual results:
# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1243328807.645:11): avc:  denied  { read write }
for  pid=1364 comm="tnslsnr" path="/dev/console" dev=tmpfs ino=560
scontext=system_u:system_r:oracle_tnslsnr_t:s0
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

Expected results:
No denial

Additional info:
N/A
Comment 1 Milan Zázrivec 2009-05-27 04:41:14 EDT
thirdparty.git:

e4207abfcb77ac538dcd51bb359025dc895b9131
d19452f1cbfad708a84706b93249a8424f3b146e
c5760b8629bbdbe839c10b60922d85279c631f2b
640e347c0231d11be2bebda1319c2dc0db8c467c
a07b001c7c582b1774d42686012ee795a752f7d3

tagged:
oracle-server-i386-10.2.0.4-51
oracle-server-s390x-10.2.0.4-51
oracle-server-x86_64-10.2.0.4-51
Comment 2 Milan Zázrivec 2009-05-30 04:30:29 EDT
oracle-server-i386-10.2.0.4-54
Comment 3 wes hayutin 2009-06-02 09:07:56 EDT
verified 5/29
Comment 4 Jan Pazdziora 2009-09-02 09:23:06 EDT
With Satellite-5.3.0-RHEL5-re20090820.1, no AVC denial while I had xm console ad-530-gold running in one terminal and did service oracle start in another. Stage verified -> RELEASE_PENDING.
Comment 5 Brandon Perkins 2009-09-10 15:12:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.