Description of problem: there is selinux denial on satellite using external db Version-Release number of selected component (if applicable): sat530 updated from webqa .qa.[root@rhndev2 ~]# rpm -qa|egrep 'selinux|osa' libselinux-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 oracle-instantclient-sqlplus-selinux-10.2-9.6.el5sat selinux-policy-2.4.6-255.el5_4.4 oracle-nofcontext-selinux-0.1-23.8.5.el5sat oracle-rhnsat-selinux-10.2-11.4.el5sat spacewalk-selinux-0.5.4-10.el5sat selinux-policy-targeted-2.4.6-255.el5_4.4 libselinux-1.33.4-5.5.el5 oracle-instantclient-selinux-10.2-9.6.el5sat osa-dispatcher-5.9.10-5.el5sat jabberd-selinux-1.4.2-6.el5sat spacewalk-monitoring-selinux-0.5.7-10.el5sat libselinux-python-1.33.4-5.5.el5 osa-dispatcher-selinux-5.9.10-5.el5sat How reproducible: Steps to Reproduce: 1. have a satellite running with external db (maybe more warnings to /sqlnet.log ? ) Actual results: type=AVC msg=audit(1270409217.473:2163): avc: denied { append } for pid=1902 comm="osa-dispatcher" path="/sqlnet.log" dev=dm-0 ino=97442 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file .qa.[root@rhndev2 ~]# ls -Z /sqlnet.log -rw-rw-rw- root root system_u:object_r:root_t /sqlnet.log .qa.[root@rhndev2 ~]# restorecon /sqlnet.log .qa.[root@rhndev2 ~]# ls -Z /sqlnet.log -rw-rw-rw- root root system_u:object_r:default_t /sqlnet.log Expected results: no denial Additional info: Satellite s390x,1.5Gb mem, external db database: DB User= psklenar1 DB Password=XXXX DB SID= rhnsat10 DB hostname= test-db-3.rhndev.redhat.com DB port= [1521] DB protocol= [TCP]
Can you confirm that the AVC denial only appears if the database is down / unreachable / the connect information is wrong? In general, sqlnet.log is only written if there is a problem during connect. That's why we did not really bother to address this AVC denial in the past.
(In reply to comment #1) > Can you confirm that the AVC denial only appears if the database is down / > unreachable / the connect information is wrong? Right , it was in time of db issue, so there are only few denials on /sqlnet.log for last month or so. > > In general, sqlnet.log is only written if there is a problem during connect. > > That's why we did not really bother to address this AVC denial in the past.
(In reply to comment #2) > > Right , it was in time of db issue, so there are only few denials on > /sqlnet.log for last month or so. Thanks. In that case, let me move it from the 5.3.1 triage to later queue.
We should use something like /usr/lib64/oracle/10.2.0.4/client/lib/network/admin/sqlnet.ora to set log_directory_client = /var/log/something and SELinux-label that /var/log/something (or sqlnet.log in it) in such a way that all client programs can append to it.
Adding Michael to Cc.
Addressed in Spacewalk master 72755b7518ecde99364eb8726fca0d39f6b1fbb2 and d9c9529015b0ae3705046cc318e238fd415484d6.
*** Bug 580401 has been marked as a duplicate of this bug. ***
I didnt see a denial on /sqlnet.log Verified with Satellite-5.4.0-RHEL5-re20100827.0 on x86646 rhel55
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332 RHEA-2010:0803 - RHN Tools enhancement update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333 RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334 RHEA-2010:0800 - RHN Satellite Server 5.4.0 https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335 Docs are available: http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html Regards, Clifford
*** Bug 519174 has been marked as a duplicate of this bug. ***