Fixed in Spacewalk repo, master 86a120213c5626cf0024aae93381f23e9e84fe8e. New spacewalk-setup package will be needed.

Created attachment 356855 [details]
audit.log with lots of selinux denials

Did this fix go to the 0.6 release? Because I got lots of SELinux denials related to oracle after yum upgrade from 0.5 to 0.6 while it worked fine before. I was only able to do the upgrade-howto Spacewalk on my RHEL 5Server after setting SELinux to permissive mode.

See the audit.log attached - you may want to grep it for oracle (or sqlplus, too).

The fix mentioned in comment 1 appeared in spacewalk-setup-0.6.17-1.

I'll have to investigate your audit.log. Could you please previde output of

# rpm -qa | egrep '(spacewalk|selinux)'

? Thank you.

# rpm -qa | egrep '(spacewalk|selinux)'
libselinux-1.33.4-5.1.el5
selinux-policy-2.4.6-203.el5
spacewalk-backend-0.6.30-1.el5
oracle-instantclient-selinux-10.2-15.el5
spacewalk-html-0.6.19-1.el5
spacewalk-repo-0.6-1.el5
spacewalk-backend-server-0.6.30-1.el5
spacewalk-backend-app-0.6.30-1.el5
spacewalk-backend-package-push-server-0.6.30-1.el5
spacewalk-base-minimal-0.6.19-1.el5
spacewalk-monitoring-selinux-0.6.12-1.el5
spacewalk-setup-0.6.21-1.el5
spacewalk-0.6.4-1.el5
selinux-policy-targeted-2.4.6-203.el5
oracle-nofcontext-selinux-0.1-23.11.el5
spacewalk-backend-xml-export-libs-0.6.30-1.el5
spacewalk-backend-config-files-tool-0.6.30-1.el5
spacewalk-backend-iss-0.6.30-1.el5
spacewalk-java-0.6.42-1.el5
spacewalk-pxt-0.6.19-1.el5
spacewalk-moon-0.6.19-1.el5
spacewalk-monitoring-0.6.7-1.el5
spacewalk-selinux-0.6.13-1.el5
libselinux-python-1.33.4-5.1.el5
spacewalk-java-config-0.6.42-1.el5
jabberd-selinux-1.4.6-1.el5
spacewalk-doc-indexes-0.6.1-1.el5
spacewalk-backend-config-files-common-0.6.30-1.el5
spacewalk-backend-config-files-0.6.30-1.el5
spacewalk-backend-applet-0.6.30-1.el5
spacewalk-taskomatic-0.6.42-1.el5
spacewalk-base-0.6.19-1.el5
spacewalk-grail-0.6.19-1.el5
spacewalk-sniglets-0.6.19-1.el5
spacewalk-admin-0.6.3-1.el5
spacewalk-schema-0.6.22-1.el5
libselinux-utils-1.33.4-5.1.el5
spacewalk-certs-tools-0.6.3-1.el5
spacewalk-config-0.6.13-1.el5
spacewalk-java-lib-0.6.42-1.el5
spacewalk-branding-0.6.8-1.el5
oracle-instantclient-sqlplus-selinux-10.2-15.el5
oracle-xe-selinux-10.2-13.el5
spacewalk-backend-sql-0.6.30-1.el5
spacewalk-backend-xmlrpc-0.6.30-1.el5
spacewalk-backend-iss-export-0.6.30-1.el5
spacewalk-backend-xp-0.6.30-1.el5
spacewalk-search-0.6.11-1.el5
spacewalk-cypress-0.6.19-1.el5
spacewalk-backend-tools-0.6.30-1.el5
osa-dispatcher-selinux-5.9.21-1.el5

OK, so the first AVC denial (type of) is

type=AVC msg=audit(1249826813.350:2295): avc:  denied  { getattr } for  pid=5053 comm="osa-dispatcher" path="/etc/tnsnames.ora" dev=dm-0 ino=8683711 scontext=user_u:system_r:osa_dispatcher_t:s0 tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file

How did you create the /etc/tnsnames.ora? What does

# restorecon -nrvvi /etc/tnsnames.ora

say? Because I don't see anything in our policies which should cause it to be etc_runtime_t.

By the way, is your RHEL 5 fully upgraded? Because that

type=AVC msg=audit(1249835323.219:3612): avc:  denied  { connectto } for  pid=8336 comm="semodule" path="/var/run/setrans/.setrans-unix" scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

sure looks like some generic problem in your system installation -- something which you probably should fix before we try to decipher the rest of those AVCs.

I think I never touched that file, i.e. it was created during the installation/upgrade (was 0.5, now 0.6) procedure. But I'm not 100% sure about that.

[root@id-rhn-proxy-01 ~]# restorecon -nrvvi /etc/tnsnames.ora
restorecon reset /etc/tnsnames.ora context user_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0

There's some updates pending, from pretty new errata (i.e. newer than this bug report): libxml2{,-python, apr{,-util}, spacewalk-repo. Will update them ASAP.

Spacewalk 0.6 released