Bug 565417 - SELinux AVC after a week
SELinux AVC after a week
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Šimon Lukašík
:
: 654581 (view as bug list)
Depends On: 489548
Blocks: sat541-blockers
  Show dependency treegraph
 
Reported: 2010-02-15 04:20 EST by Petr Sklenar
Modified: 2011-06-16 22:45 EDT (History)
5 users (show)

See Also:
Fixed In Version: oracle-selinux-0.1.23.25-3 oracle-rhnsat-selinux-10.2.0.16-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-16 22:45:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Sklenar 2010-02-15 04:20:58 EST
Description of problem:
I install 530 satellite + upgraded form rhn.stage. After one week I can see this avc denial which I cannot reproduce. Satellite was only running during last week with no user activities.

type=AVC msg=audit(1266040097.765:7014): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
sat 531, upgraded from stage

How reproducible:
deterministic 

Steps to Reproduce:
1. install 531,satellite
2. wait a week ... 
  
Actual results:1266040097.765:7014
[root@smqa-r210-02 ~]# cat /var/log/audit/audit.log  | grep den 
type=USER_ERR msg=audit(1263217558.076:624): user pid=8988 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=dhcp-lab-100.englab.brq.redhat.com, addr=10.34.33.100, terminal=ssh res=failed)'
type=AVC msg=audit(1266040097.745:7002): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.745:7003): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.761:7004): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.761:7005): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.761:7006): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.761:7007): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.761:7008): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.761:7009): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.765:7010): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.765:7011): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.765:7012): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.765:7013): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir
type=AVC msg=audit(1266040097.765:7014): avc:  denied  { search } for  pid=27548 comm="oracle" name="log" dev=dm-0 ino=48758824 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir


Expected results:
no denial

Additional info:
let me know which output I should attached
Comment 1 Petr Sklenar 2010-02-15 05:02:12 EST
[root@smqa-r210-02 ~]#  find / -mount -inum 48758824 -print
/opt/apps/oracle/web/product/10.2.0/db_1/network/log
[root@smqa-r210-02 ~]# ls -Zla /opt/apps/oracle/web/product/10.2.0/db_1/network/log
total 136
drwxrwx---  2 user_u:object_r:oracle_tnslsnr_log_t oracle dba     4096 Feb 15 10:18 .
drwxrwx--- 10 system_u:object_r:usr_t          oracle dba     4096 Feb  1 11:34 ..
-rw-r-----  1 root:object_r:oracle_tnslsnr_log_t oracle oracle  6084 Feb 15 11:01 listener.log
-rw-r-----  1 root:object_r:oracle_tnslsnr_log_t oracle oracle 98853 Feb 15 10:18 listener.log.1.gz
Comment 2 Petr Sklenar 2010-02-15 05:09:13 EST
[root@smqa-r210-02 ~]# ls -Zdla /opt/apps/oracle/web/product/10.2.0/db_1/network/log
drwxrwx--- 2 user_u:object_r:oracle_tnslsnr_log_t oracle dba 4096 Feb 15 10:18 /opt/apps/oracle/web/product/10.2.0/db_1/network/log

restorecon on this dir and files inside doesn't change a context.
Comment 3 Jiri Kastner 2011-02-03 06:50:16 EST
[root@rhndev5 ~]# sealert -a /var/log/audit/audit.log 
100% donefound 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------


Summary:

SELinux is preventing oracle (oracle_db_t) "search" to ./log (oracle_tnslsnr_log_t).

Detailed Description:

SELinux denied access requested by oracle. It is not expected that this access
is required by oracle and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./log,

restorecon -v './log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:oracle_db_t
Target Context                user_u:object_r:oracle_tnslsnr_log_t
Target Objects                ./log [ dir ]
Source                        oracle
Source Path                   /opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           oracle-server-s390x-10.2.0.4-65.el5sat
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     rhndev5
Platform                      Linux rhndev5 2.6.18-238.el5
                              #1 SMP Sun Dec 19 14:27:28 EST 2010 s390x s390x
Alert Count                   13
First Seen                    Thu Feb  3 01:34:14 2011
Last Seen                     Thu Feb  3 01:34:14 2011
Local ID                      a824e83e-9c06-41dd-9871-0518a4e46d07
Line Numbers                  303, 304, 305, 306, 307, 308, 309, 310, 311, 312,
                              313, 314, 315, 316, 317, 318, 319, 320, 321, 322,
                              323, 324, 325, 326, 327, 328

Raw Audit Messages            

type=AVC msg=audit(1296714854.500:274): avc:  denied  { search } for  pid=10435 comm="oracle" name="log" dev=dm-0 ino=461991 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir

type=SYSCALL msg=audit(1296714854.500:274): arch=80000016 syscall=5 success=no exit=-13 a0=3ffff989128 a1=441 a2=1b6 a3=1b6 items=0 ppid=1 pid=10435 auid=4294967295 uid=100 gid=157 euid=100 suid=100 fsuid=100 egid=156 sgid=156 fsgid=156 tty=(none) ses=4294967295 comm="oracle" exe="/opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle" subj=root:system_r:oracle_db_t:s0 key=(null)

[root@rhndev5 ~]# find / -mount -inum 461991 -print
/opt/apps/oracle/web/product/10.2.0/db_1/network/log
Comment 4 Jan Pazdziora 2011-04-06 03:41:57 EDT
The reproducer is actually pretty easy -- run sqlplus rhnsat/asdf@rhnsat with incorrect password and after sqlplus says

ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name: 

don't do anything for cca a minute. After that time, oracle will expire the session with ORA-3136 and attempt to log the situation to /opt/apps/oracle/web/product/10.2.0/db_1/network/log/sqlnet.log.
Comment 5 Jan Pazdziora 2011-04-06 03:42:12 EDT
*** Bug 654581 has been marked as a duplicate of this bug. ***
Comment 6 Jan Pazdziora 2011-04-06 03:42:59 EDT
The Spacewalk upstream bugzilla is bug 489548.
Comment 7 Jan Pazdziora 2011-04-06 04:28:10 EDT
Fixed in Spacewalk master, 85b5cf4d54b389d2ca14c955766265457cf0c47c.
Comment 10 Jan Pazdziora 2011-04-11 06:06:24 EDT
Tagged and built: oracle-selinux-0.1.23.25-3 oracle-rhnsat-selinux-10.2.0.16-4
Comment 14 Milan Zázrivec 2011-06-10 09:40:58 EDT
Verified in stage w/ oracle-rhnsat-selinux-10.2.0.16-6 and
oracle-nofcontext-selinux-0.1.23.25-3 -> release pending.
Comment 15 Clifford Perry 2011-06-16 22:45:18 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html

Note You need to log in before you can comment on or make changes to this bug.