Bug 578655 - SELinux is preventing oracle (oracle_db_t) "read" to ./passwd (etc_runtime_t).
SELinux is preventing oracle (oracle_db_t) "read" to ./passwd (etc_runtime_t).
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2010-03-31 19:23 EDT by macheater
Modified: 2010-08-19 07:12 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-19 07:12:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description macheater 2010-03-31 19:23:27 EDT
Description of problem:
SELinux is preventing oracle (oracle_db_t) "read" to ./passwd (etc_runtime_t).

Version-Release number of selected component (if applicable):

How reproducible:
Running the Redhat Satellite server's oracle database produces errors

Steps to Reproduce:
1. Try to kickstart a server
Actual results:

Expected results:

Additional info:
Ran: sealert -l ca829f24-e464-4692-bdf3-f55567685542 followed by recommendation:
restorecon -v './passwd'
Did not produce any changes.
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Comment 1 Daniel Walsh 2010-04-01 08:34:50 EDT
Sadly the tool/kernel could not figure out that the avc referred to /etc/passwd

restorecon -v /etc/passwd 

Should probably fix the problem.

We have a better solution for the troubleshooter in RHEL6 or you could turn on full auditing, and the AVC would have contained the full path, but there is performance overhead for this.

My guess is that some init script edited the /etc/passwd file and left it with a bad label.

Note You need to log in before you can comment on or make changes to this bug.