Bug 508368 - SELinux issue on s390x install
SELinux issue on s390x install
Status: CLOSED DUPLICATE of bug 505606
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Other (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
John Matthews
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-06-26 14:46 EDT by John Matthews
Modified: 2009-08-20 08:48 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-30 13:32:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
grep AVC /var/log/audit/audit.log (32.24 KB, text/plain)
2009-06-30 12:57 EDT, John Matthews
no flags Details

  None (edit)
Description John Matthews 2009-06-26 14:46:46 EDT
Description of problem:

Installed Satellite on s390x, it failed.  I attempted reinstall and it said it couldn't connect to database.

I started oracle and it failed.
Saw error:

# /etc/init.d/oracle start
/opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl: error while loading shared libraries: /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1: cannot restore segment prot after reloc: Permission denied


I assumed it's a SELinux issue.
I ran:
chcon -R -t textrel_shlib_t /opt/apps/oracle

Now oracle starts.


Version-Release number of selected component (if applicable):
Satellite-5.3.0-RHEL5-re20090625.0-s390x-embedded-oracle.iso

How reproducible:
Unsure, the s390x boxes are having more oracle issues with install.  I don't know if the SELinux portion happens towards the end of the install, and the installer bailed out before hitting that area.


Steps to Reproduce:
1. Install sat on s390x, exit install after db install but before finish.
2. Start oracle
  
Actual results:
# /etc/init.d/oracle start
/opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl: error while loading shared libraries: /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1: cannot restore segment prot after reloc: Permission denied


Expected results:
Oracle starts

Additional info:
Comment 1 Jan Pazdziora 2009-06-29 03:05:42 EDT
John,

can you please paste output of:

rpm -q redhat-release
(that's because generally s390x installs on *.z900.redhat.com were RHEL 5.0, not good)

semodule -l
(to see if the SELinux policy modules are loaded at all)

grep AVC /var/log/audit/audit.log
(to see what AVC denials you got)

ls -Z /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1
(to see the type of these two)

execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1
(to see the execstack of these two)

Thank you.
Comment 2 Jan Pazdziora 2009-06-29 03:08:25 EDT
In general, I consider this a dupe of 505606 but I'd like to have it confirmed.
Comment 3 John Matthews 2009-06-30 12:55:24 EDT
Hi Jan,

This is the default RHEL 5.0 provisioning setup from the z900 setup.


rpm -q redhat-release
redhat-release-5Server-5.0.0.9


# semodule -l
amavis	1.1.0
ccs	1.0.0
clamav	1.1.0
dcc	1.1.0
dnsmasq	1.1.1
evolution	1.1.0
ipsec	1.4.0
iscsid	1.0.0
mozilla	1.1.0
mplayer	1.1.0
nagios	1.1.0
oddjob	1.0.1
pcscd	1.0.0
pki	1.0.0
prelude	1.0.0
pyzor	1.1.0
razor	1.1.0
ricci	1.0.0
smartmon	1.1.0
virt	1.0.0
zosremote	1.0.0


# ls -Z /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl
-rwxr-x--x  oracle dba system_u:object_r:textrel_shlib_t /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl

rwxr-xr-x  oracle dba system_u:object_r:textrel_shlib_t /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1


execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl
- /opt/apps/oracle/web/product/10.2.0/db_1/bin/lsnrctl

 execstack -q /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1
- /opt/apps/oracle/web/product/10.2.0/db_1/lib/libclntsh.so.10.1
Comment 4 John Matthews 2009-06-30 12:57:05 EDT
Created attachment 349972 [details]
grep AVC /var/log/audit/audit.log
Comment 5 Jan Pazdziora 2009-06-30 13:32:58 EDT
John, installation of plain RHEL 5.0 will not work unless you relabel the filesystem. None of the Spacewalk/Oracle SELinux modules are loaded here.

Please see bug 505606 for more info. I'm closing this bugzilla as dupe of 505606. Feel free to reopen if you think otherwise.

*** This bug has been marked as a duplicate of bug 505606 ***
Comment 6 John Matthews 2009-07-01 17:30:57 EDT
Hi Jan,

I followed your advice and upgraded the s390x machine to 5.3, did the upgrade from 5.0 to 5.3 through "yum update -y" followed be a reboot.

# rpm -q redhat-release
redhat-release-5Server-5.3.0.3

I attempted an install, it failed with this message:
oracle-rhnsat   10.2.11.4
+ restorecon -rv /rhnsat
restorecon set context /rhnsat->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported'
restorecon set context /rhnsat/admin->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported'
restorecon set context /rhnsat/data->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported'

I then realized I didn't relabel the FS as you said, so I executed:
# touch /.autorelabel
# reboot

I watched through the x3270 console and saw that the files were relabeled during bootup.

I re-ran the install.pl and saw the same Oracle errors:
# tail /var/log/rhn/install_db.log 
+ mkdir -p /rhnsat/data /rhnsat/admin
+ chown -R oracle:dba /rhnsat
+ selinuxenabled
+ semodule -l
+ grep '^oracle-rhnsat\b'
oracle-rhnsat	10.2.11.4
+ restorecon -rv /rhnsat
restorecon set context /rhnsat->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported'
restorecon set context /rhnsat/admin->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported'
restorecon set context /rhnsat/data->system_u:object_r:oracle_dir_t:s0 failed:'Operation not supported'


/rhnsat is a NFS mount
/var/satellite is a NFS mount


# grep AVC /var/log/audit/audit.log 
type=USER_AVC msg=audit(1246479370.866:27): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479393.706:30): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=3) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479420.986:31): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=4) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479440.806:33): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=5) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479451.436:35): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=6) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479460.406:37): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=7) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479580.806:39): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=8) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479588.956:42): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=9) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479748.756:57): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=10) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479789.926:59): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=11) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479824.936:61): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=12) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479833.796:62): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=13) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479943.236:66): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479955.166:68): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=15) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479962.096:70): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=16) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479979.206:72): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=17) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246479989.316:74): user pid=1374 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=18) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1246482578.398:49): user pid=1393 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'


# semodule -l
amavis	1.1.0
ccs	1.0.0
clamav	1.1.0
dcc	1.1.0
dnsmasq	1.1.1
evolution	1.1.0
ipsec	1.4.0
iscsid	1.0.0
jabber	1.4.2.6
mozilla	1.1.0
mplayer	1.1.0
nagios	1.1.0
oddjob	1.0.1
oracle-nofcontext	1.1.1
oracle-rhnsat	10.2.11.4
osa-dispatcher	5.9.10.5
pcscd	1.0.0
pki	1.0.0
prelude	1.0.0
pyzor	1.1.0
razor	1.1.0
ricci	1.0.0
smartmon	1.1.0
spacewalk-monitoring	0.5.7.9
spacewalk	0.5.4.9
virt	1.0.0
zosremote	1.0.0


# ls -Z /rhnsat/
drwxr-xr-x  oracle dba system_u:object_r:nfs_t          admin
drwxr-xr-x  oracle dba system_u:object_r:nfs_t          data


Do you have any tips for getting past these errors?

Thanks,
John
Comment 8 John Matthews 2009-07-01 17:40:55 EDT
Setting NEED_INFO for comment #6, as I removed it by accident.
Comment 9 Jan Pazdziora 2009-07-02 02:54:05 EDT
/rhnsat on NFS is not supported. If you want to test embedded on s390x, you'll need to find machine with large enough disk to put the embedded data in /rhnsat on the local disk.
Comment 10 John Matthews 2009-08-20 08:48:37 EDT
Marking CloseValid

Note You need to log in before you can comment on or make changes to this bug.