+++ This bug was initially created as a clone of Bug #580047 +++ Description of problem: there is selinux denial on satellite using external db Version-Release number of selected component (if applicable): sat530 updated from webqa .qa.[root@rhndev2 ~]# rpm -qa|egrep 'selinux|osa' libselinux-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 oracle-instantclient-sqlplus-selinux-10.2-9.6.el5sat selinux-policy-2.4.6-255.el5_4.4 oracle-nofcontext-selinux-0.1-23.8.5.el5sat oracle-rhnsat-selinux-10.2-11.4.el5sat spacewalk-selinux-0.5.4-10.el5sat selinux-policy-targeted-2.4.6-255.el5_4.4 libselinux-1.33.4-5.5.el5 oracle-instantclient-selinux-10.2-9.6.el5sat osa-dispatcher-5.9.10-5.el5sat jabberd-selinux-1.4.2-6.el5sat spacewalk-monitoring-selinux-0.5.7-10.el5sat libselinux-python-1.33.4-5.5.el5 osa-dispatcher-selinux-5.9.10-5.el5sat How reproducible: Steps to Reproduce: 1. have a satellite running with external db (maybe more warnings to /sqlnet.log ? ) Actual results: type=AVC msg=audit(1270409217.473:2163): avc: denied { append } for pid=1902 comm="osa-dispatcher" path="/sqlnet.log" dev=dm-0 ino=97442 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file .qa.[root@rhndev2 ~]# ls -Z /sqlnet.log -rw-rw-rw- root root system_u:object_r:root_t /sqlnet.log .qa.[root@rhndev2 ~]# restorecon /sqlnet.log .qa.[root@rhndev2 ~]# ls -Z /sqlnet.log -rw-rw-rw- root root system_u:object_r:default_t /sqlnet.log Expected results: no denial Additional info: Satellite s390x,1.5Gb mem, external db database: DB User= psklenar1 DB Password=XXXX DB SID= rhnsat10 DB hostname= test-db-3.rhndev.redhat.com DB port= [1521] DB protocol= [TCP] --- Additional comment from jpazdziora on 2010-04-07 09:49:48 EDT --- Can you confirm that the AVC denial only appears if the database is down / unreachable / the connect information is wrong? In general, sqlnet.log is only written if there is a problem during connect. That's why we did not really bother to address this AVC denial in the past. --- Additional comment from psklenar on 2010-04-07 11:01:28 EDT --- (In reply to comment #1) > Can you confirm that the AVC denial only appears if the database is down / > unreachable / the connect information is wrong? Right , it was in time of db issue, so there are only few denials on /sqlnet.log for last month or so. > > In general, sqlnet.log is only written if there is a problem during connect. > > That's why we did not really bother to address this AVC denial in the past. --- Additional comment from jpazdziora on 2010-04-07 13:50:11 EDT --- (In reply to comment #2) > > Right , it was in time of db issue, so there are only few denials on > /sqlnet.log for last month or so. Thanks. In that case, let me move it from the 5.3.1 triage to later queue. --- Additional comment from jpazdziora on 2010-04-08 03:57:15 EDT --- We should use something like /usr/lib64/oracle/10.2.0.4/client/lib/network/admin/sqlnet.ora to set log_directory_client = /var/log/something and SELinux-label that /var/log/something (or sqlnet.log in it) in such a way that all client programs can append to it. --- Additional comment from jpazdziora on 2010-04-08 03:58:02 EDT --- Adding Michael to Cc.
This is a generalized version of original bug #580047. We agreed on closing this as the original bug has been resolved. *** This bug has been marked as a duplicate of bug 580047 ***