+++ This bug was initially created as a clone of Bug #489377 +++ Description of problem: Satellite-5.3.0-RHEL5-re20090306.2-i386-embedded-oracle.iso Referring to bug https://bugzilla.redhat.com/show_bug.cgi?id=483004 retested on the latest build and I'm seeing denials when starting and stopping oracle type=AVC msg=audit(1236624621.564:1417): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1418): avc: denied { name_bind } for pid=26929 comm="osa-dispatcher" src=820 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1419): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1420): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1421): avc: denied { name_bind } for pid=26929 comm="osa-dispatcher" src=821 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1236624621.564:1422): avc: denied { name_connect } for pid=26929 comm="osa-dispatcher" dest=111 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket [root@grandprix audit]# ps -ef | grep 26929 root 26929 1 0 13:49 pts/0 00:00:00 /usr/bin/python /usr/sbin/osa-dispatcher --pid-file /var/run/osa-dispatcher.pid root 29573 26456 0 14:52 pts/0 00:00:00 grep 26929 [root@grandprix audit]# --- Additional comment from jpazdziora on 2009-03-09 15:08:59 EDT --- How do you restart that Oracle? (Please, *always* use the full default template when filing new bugzilla.) I ask because it seems strange that restarting Oracle would generate AVCs from ora-dispatcher, so I wonder if you maybe also restarted osa-dispatcher, or something. Also, I wonder how exactly this relates to bug 483004 -- that one does not have any name_connect nor name_bind AVCs ... --- Additional comment from whayutin on 2009-03-09 15:26:09 EDT --- root@grandprix ~]# service oracle restart Shutdown Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/shutdown.log [ OK ] Starting Oracle: Processing Database instance "rhnsat": log file /opt/apps/oracle/web/product/10.2.0/db_1/log/startup.log type=AVC msg=audit(1236626712.747:1529): avc: denied { search } for pid=31903 comm="sqlplus" name="yp" dev=dm-0 ino=1504428 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir type=AVC msg=audit(1236626712.747:1530): avc: denied { node_bind } for pid=31903 comm="sqlplus" scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket type=AVC msg=audit(1236626712.747:1531): avc: denied { name_bind } for pid=31903 comm="sqlplus" src=703 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket --- Additional comment from jpazdziora on 2009-03-16 08:59:40 EDT --- Wes, so what were the osa-dispatcher AVC denials in comment 0 about? Do we have bugzilla for those? --- Additional comment from whayutin on 2009-03-16 09:10:20 EDT --- There have been two other bugs opened on osa-dispatcher avc denials. One is verified and the other we thought we could close due to the "screen" issue. For this bug ignore the osa-dispatcher avc denials, and only work w/ the denials in comment #2 --- Additional comment from jpazdziora on 2009-03-16 09:37:55 EDT --- But they are NIS-related, aren't they? (I'm happy to keep this bugzilla for oracle/sqlplus NIS-related issues only, I just wouldn't like something to fall through cracks.) --- Additional comment from jpazdziora on 2009-03-16 09:53:48 EDT --- Fix allowing Oracle to use NIS in Spacewalk repo, commit 8e09915ab3c5c2091b85d20401bb27a46d81c5a0. --- Additional comment from jpazdziora on 2009-03-23 04:35:41 EDT --- Tagged as oracle-rhnsat-selinux-10.2-10. --- Additional comment from jpazdziora on 2009-03-30 05:14:17 EDT --- With compose Satellite-5.3.0-RHEL5-re20090327.0 available, moving ON_QA. --- Additional comment from whayutin on 2009-03-30 15:14:32 EDT --- no denials when satellite is stopped and oracle is restarted... no denials when oracle is restarted when satellite is running.. verified --- Additional comment from msuchy on 2009-08-25 10:06:54 EDT --- [root@xen5 ~]# getenforce; echo BBBBBBBBB >>/var/log/audit/audit.log; service oracle restart; grep -A 999999999 BBBBBBBBB /var/log/audit/audit.log |grep denied Permissive Shutting down Oracle Net Listener ... [ OK ] Shutting down Oracle DB instance "rhnsat" ... [ OK ] Starting Oracle Net Listener ... [ OK ] Starting Oracle DB instance "rhnsat" ... [ OK ] type=AVC msg=audit(1251208527.650:4609): avc: denied { append } for pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file type=AVC msg=audit(1251208547.839:4610): avc: denied { append } for pid=16124 comm="osa-dispatcher" path="/sqlnet.log" dev=xvda1 ino=654 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:root_t:s0 tclass=file Original avc denial do not appear. These two new however appear. I verify this bug and I'm going to clone new bz due this two.
*** This bug has been marked as a duplicate of bug 580047 ***