Bug 580401 - sqlnet.log should be in fixed location (not cwd), labeled properly for all programs to be able to append to it
Summary: sqlnet.log should be in fixed location (not cwd), labeled properly for all pr...
Keywords:
Status: CLOSED DUPLICATE of bug 580047
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 0.8
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Michael Mráka
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: 580047 space11
TreeView+ depends on / blocked
 
Reported: 2010-04-08 08:00 UTC by Jan Pazdziora (Red Hat)
Modified: 2010-05-05 14:56 UTC (History)
1 user (show)

Fixed In Version:
Clone Of: 580047
Environment:
Last Closed: 2010-05-05 14:56:24 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2010-04-08 08:00:15 UTC
+++ This bug was initially created as a clone of Bug #580047 +++

Description of problem:
there is selinux denial on satellite using external db

Version-Release number of selected component (if applicable):
sat530 updated from webqa

.qa.[root@rhndev2 ~]# rpm -qa|egrep 'selinux|osa'
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
oracle-instantclient-sqlplus-selinux-10.2-9.6.el5sat
selinux-policy-2.4.6-255.el5_4.4
oracle-nofcontext-selinux-0.1-23.8.5.el5sat
oracle-rhnsat-selinux-10.2-11.4.el5sat
spacewalk-selinux-0.5.4-10.el5sat
selinux-policy-targeted-2.4.6-255.el5_4.4
libselinux-1.33.4-5.5.el5
oracle-instantclient-selinux-10.2-9.6.el5sat
osa-dispatcher-5.9.10-5.el5sat
jabberd-selinux-1.4.2-6.el5sat
spacewalk-monitoring-selinux-0.5.7-10.el5sat
libselinux-python-1.33.4-5.5.el5
osa-dispatcher-selinux-5.9.10-5.el5sat

How reproducible:


Steps to Reproduce:
1. have a satellite running with external db (maybe more warnings to /sqlnet.log ? )

  
Actual results:

type=AVC msg=audit(1270409217.473:2163): avc:  denied  { append } for  pid=1902 comm="osa-dispatcher" path="/sqlnet.log" dev=dm-0 ino=97442 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file

.qa.[root@rhndev2 ~]# ls -Z /sqlnet.log
-rw-rw-rw-  root root system_u:object_r:root_t         /sqlnet.log
.qa.[root@rhndev2 ~]# restorecon /sqlnet.log
.qa.[root@rhndev2 ~]# ls -Z /sqlnet.log
-rw-rw-rw-  root root system_u:object_r:default_t      /sqlnet.log


Expected results:
no denial

Additional info:
Satellite
s390x,1.5Gb mem, external db

database:
DB User= psklenar1
DB Password=XXXX
DB SID= rhnsat10
DB hostname= test-db-3.rhndev.redhat.com
DB port= [1521] 
DB protocol= [TCP]

--- Additional comment from jpazdziora on 2010-04-07 09:49:48 EDT ---

Can you confirm that the AVC denial only appears if the database is down / unreachable / the connect information is wrong?

In general, sqlnet.log is only written if there is a problem during connect.

That's why we did not really bother to address this AVC denial in the past.

--- Additional comment from psklenar on 2010-04-07 11:01:28 EDT ---

(In reply to comment #1)
> Can you confirm that the AVC denial only appears if the database is down /
> unreachable / the connect information is wrong?

Right , it was in time of db issue, so there are only few denials on /sqlnet.log for last month or so.

> 
> In general, sqlnet.log is only written if there is a problem during connect.
> 
> That's why we did not really bother to address this AVC denial in the past.

--- Additional comment from jpazdziora on 2010-04-07 13:50:11 EDT ---

(In reply to comment #2)
> 
> Right , it was in time of db issue, so there are only few denials on
> /sqlnet.log for last month or so.

Thanks. In that case, let me move it from the 5.3.1 triage to later queue.

--- Additional comment from jpazdziora on 2010-04-08 03:57:15 EDT ---

We should use something like /usr/lib64/oracle/10.2.0.4/client/lib/network/admin/sqlnet.ora to set log_directory_client = /var/log/something and SELinux-label that /var/log/something (or sqlnet.log in it) in such a way that all client programs can append to it.

--- Additional comment from jpazdziora on 2010-04-08 03:58:02 EDT ---

Adding Michael to Cc.

Comment 1 Michael Mráka 2010-05-05 14:56:24 UTC
This is a generalized version of original bug #580047. 
We agreed on closing this as the original bug has been resolved.

*** This bug has been marked as a duplicate of bug 580047 ***


Note You need to log in before you can comment on or make changes to this bug.