[root@smqa-r210-02 ~]#  find / -mount -inum 48758824 -print
/opt/apps/oracle/web/product/10.2.0/db_1/network/log
[root@smqa-r210-02 ~]# ls -Zla /opt/apps/oracle/web/product/10.2.0/db_1/network/log
total 136
drwxrwx---  2 user_u:object_r:oracle_tnslsnr_log_t oracle dba     4096 Feb 15 10:18 .
drwxrwx--- 10 system_u:object_r:usr_t          oracle dba     4096 Feb  1 11:34 ..
-rw-r-----  1 root:object_r:oracle_tnslsnr_log_t oracle oracle  6084 Feb 15 11:01 listener.log
-rw-r-----  1 root:object_r:oracle_tnslsnr_log_t oracle oracle 98853 Feb 15 10:18 listener.log.1.gz

[root@smqa-r210-02 ~]# ls -Zdla /opt/apps/oracle/web/product/10.2.0/db_1/network/log
drwxrwx--- 2 user_u:object_r:oracle_tnslsnr_log_t oracle dba 4096 Feb 15 10:18 /opt/apps/oracle/web/product/10.2.0/db_1/network/log

restorecon on this dir and files inside doesn't change a context.

[root@rhndev5 ~]# sealert -a /var/log/audit/audit.log 
100% donefound 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------


Summary:

SELinux is preventing oracle (oracle_db_t) "search" to ./log (oracle_tnslsnr_log_t).

Detailed Description:

SELinux denied access requested by oracle. It is not expected that this access
is required by oracle and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./log,

restorecon -v './log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:oracle_db_t
Target Context                user_u:object_r:oracle_tnslsnr_log_t
Target Objects                ./log [ dir ]
Source                        oracle
Source Path                   /opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           oracle-server-s390x-10.2.0.4-65.el5sat
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     rhndev5
Platform                      Linux rhndev5 2.6.18-238.el5
                              #1 SMP Sun Dec 19 14:27:28 EST 2010 s390x s390x
Alert Count                   13
First Seen                    Thu Feb  3 01:34:14 2011
Last Seen                     Thu Feb  3 01:34:14 2011
Local ID                      a824e83e-9c06-41dd-9871-0518a4e46d07
Line Numbers                  303, 304, 305, 306, 307, 308, 309, 310, 311, 312,
                              313, 314, 315, 316, 317, 318, 319, 320, 321, 322,
                              323, 324, 325, 326, 327, 328

Raw Audit Messages            

type=AVC msg=audit(1296714854.500:274): avc:  denied  { search } for  pid=10435 comm="oracle" name="log" dev=dm-0 ino=461991 scontext=root:system_r:oracle_db_t:s0 tcontext=user_u:object_r:oracle_tnslsnr_log_t:s0 tclass=dir

type=SYSCALL msg=audit(1296714854.500:274): arch=80000016 syscall=5 success=no exit=-13 a0=3ffff989128 a1=441 a2=1b6 a3=1b6 items=0 ppid=1 pid=10435 auid=4294967295 uid=100 gid=157 euid=100 suid=100 fsuid=100 egid=156 sgid=156 fsgid=156 tty=(none) ses=4294967295 comm="oracle" exe="/opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle" subj=root:system_r:oracle_db_t:s0 key=(null)

[root@rhndev5 ~]# find / -mount -inum 461991 -print
/opt/apps/oracle/web/product/10.2.0/db_1/network/log

The reproducer is actually pretty easy -- run sqlplus rhnsat/asdf@rhnsat with incorrect password and after sqlplus says

ERROR:
ORA-01017: invalid username/password; logon denied

Enter user-name: 

don't do anything for cca a minute. After that time, oracle will expire the session with ORA-3136 and attempt to log the situation to /opt/apps/oracle/web/product/10.2.0/db_1/network/log/sqlnet.log.

*** Bug 654581 has been marked as a duplicate of this bug. ***

The Spacewalk upstream bugzilla is bug 489548.

Fixed in Spacewalk master, 85b5cf4d54b389d2ca14c955766265457cf0c47c.

Tagged and built: oracle-selinux-0.1.23.25-3 oracle-rhnsat-selinux-10.2.0.16-4

Verified in stage w/ oracle-rhnsat-selinux-10.2.0.16-6 and
oracle-nofcontext-selinux-0.1.23.25-3 -> release pending.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html