Bug 519174 - SELinux denials starting up and stopping oracle
Summary: SELinux denials starting up and stopping oracle
Keywords:
Status: CLOSED DUPLICATE of bug 580047
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 530
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Red Hat Satellite QA List
URL: na
Whiteboard:
Depends On: 489377
Blocks: 462714
TreeView+ depends on / blocked
 
Reported: 2009-08-25 14:09 UTC by Miroslav Suchý
Modified: 2013-04-15 11:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 489377
Environment:
Last Closed: 2013-04-15 11:13:10 UTC


Attachments (Terms of Use)

Description Miroslav Suchý 2009-08-25 14:09:03 UTC
+++ This bug was initially created as a clone of Bug #489377 +++

Description of problem:

Satellite-5.3.0-RHEL5-re20090306.2-i386-embedded-oracle.iso

Referring to bug https://bugzilla.redhat.com/show_bug.cgi?id=483004

retested on the latest build and I'm seeing denials when starting and stopping oracle

type=AVC msg=audit(1236624621.564:1417): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1418): avc:  denied  { name_bind } for  pid=26929 comm="osa-dispatcher" src=820 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1419): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1420): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1421): avc:  denied  { name_bind } for  pid=26929 comm="osa-dispatcher" src=821 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236624621.564:1422): avc:  denied  { name_connect } for  pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


[root@grandprix audit]# ps -ef | grep 26929
root     26929     1  0 13:49 pts/0    00:00:00 /usr/bin/python /usr/sbin/osa-dispatcher --pid-file /var/run/osa-dispatcher.pid
root     29573 26456  0 14:52 pts/0    00:00:00 grep 26929
[root@grandprix audit]#

--- Additional comment from jpazdziora@redhat.com on 2009-03-09 15:08:59 EDT ---

How do you restart that Oracle? (Please, *always* use the full default template when filing new bugzilla.)

I ask because it seems strange that restarting Oracle would generate AVCs from ora-dispatcher, so I wonder if you maybe also restarted osa-dispatcher, or something.

Also, I wonder how exactly this relates to bug 483004 -- that one does not have any name_connect nor name_bind AVCs ...

--- Additional comment from whayutin@redhat.com on 2009-03-09 15:26:09 EDT ---

root@grandprix ~]# service oracle restart
Shutdown Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/shutdown.log
                                                           [  OK  ]
Starting Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/startup.log
                            

type=AVC msg=audit(1236626712.747:1529): avc:  denied  { search } for  pid=31903 comm="sqlplus" name="yp" dev=dm-0 ino=1504428 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1236626712.747:1530): avc:  denied  { node_bind } for  pid=31903 comm="sqlplus" scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1236626712.747:1531): avc:  denied  { name_bind } for  pid=31903 comm="sqlplus" src=703 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

--- Additional comment from jpazdziora@redhat.com on 2009-03-16 08:59:40 EDT ---

Wes, so what were the osa-dispatcher AVC denials in comment 0 about? Do we have bugzilla for those?

--- Additional comment from whayutin@redhat.com on 2009-03-16 09:10:20 EDT ---

There have been two other bugs opened on osa-dispatcher avc denials. One is verified and the other we thought we could close due to the "screen" issue.  For this bug ignore the osa-dispatcher avc denials, and only work w/ the denials in comment #2

--- Additional comment from jpazdziora@redhat.com on 2009-03-16 09:37:55 EDT ---

But they are NIS-related, aren't they? (I'm happy to keep this bugzilla for oracle/sqlplus NIS-related issues only, I just wouldn't like something to fall through cracks.)

--- Additional comment from jpazdziora@redhat.com on 2009-03-16 09:53:48 EDT ---

Fix allowing Oracle to use NIS in Spacewalk repo, commit 8e09915ab3c5c2091b85d20401bb27a46d81c5a0.

--- Additional comment from jpazdziora@redhat.com on 2009-03-23 04:35:41 EDT ---

Tagged as oracle-rhnsat-selinux-10.2-10.

--- Additional comment from jpazdziora@redhat.com on 2009-03-30 05:14:17 EDT ---

With compose Satellite-5.3.0-RHEL5-re20090327.0 available, moving ON_QA.

--- Additional comment from whayutin@redhat.com on 2009-03-30 15:14:32 EDT ---

no denials when satellite is stopped and oracle is restarted...

no denials when oracle is restarted when satellite is running..

verified

--- Additional comment from msuchy@redhat.com on 2009-08-25 10:06:54 EDT ---

[root@xen5 ~]# getenforce; echo BBBBBBBBB >>/var/log/audit/audit.log; service oracle restart; grep -A 999999999 BBBBBBBBB  /var/log/audit/audit.log |grep denied
Permissive
Shutting down Oracle Net Listener ...                      [  OK  ]
Shutting down Oracle DB instance "rhnsat" ...              [  OK  ]
Starting Oracle Net Listener ...                           [  OK  ]
Starting Oracle DB instance "rhnsat" ...                   [  OK  ]
type=AVC msg=audit(1251208527.650:4609): avc:  denied  { append } for  pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1251208547.839:4610): avc:  denied  { append } for  pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file

Original avc denial do not appear. These two new however appear. I verify this bug and I'm going to clone new bz due this two.

Comment 1 Jan Pazdziora 2013-04-15 11:13:10 UTC

*** This bug has been marked as a duplicate of bug 580047 ***


Note You need to log in before you can comment on or make changes to this bug.