Bug 624738 - sqlplus produces lot of avc denials during ./install.pl
Summary: sqlplus produces lot of avc denials during ./install.pl
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer
Version: 540
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Milan Zázrivec
QA Contact: Šimon Lukašík
URL:
Whiteboard:
Depends On:
Blocks: sat540-rhel6 625708 626420
TreeView+ depends on / blocked
 
Reported: 2010-08-17 15:58 UTC by Šimon Lukašík
Modified: 2010-10-28 14:59 UTC (History)
2 users (show)

Fixed In Version: oracle-server-s390x-10.2.0.4-61
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 626420 (view as bug list)
Environment:
Last Closed: 2010-10-28 14:59:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Avc denials (160.97 KB, text/plain)
2010-08-17 16:00 UTC, Šimon Lukašík 		no flags Details
/var/log/rhn/install_db.log (12.52 KB, text/plain)
2010-08-17 16:02 UTC, Šimon Lukašík 		no flags Details
View All

Description Šimon Lukašík 2010-08-17 15:58:43 UTC 
Description of problem:
During installation of Satellite-5.4.0-RHEL5-re20100817.0 a lot of selinux avc denials occurs. There is also failed attempt to restart Oracle DB.

+ service oracle restart
Shutting down Oracle Net Listener ...[  OK  ]
Shutting down Oracle DB instance "rhnsat" ...[FAILED]
sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied
/etc/init.d/oracle: line 42: [: 10: unary operator expected
Starting Oracle Net Listener ... [  OK  ]
Starting Oracle DB instance "rhnsat" ... [  OK  ]

Version-Release number of selected component (if applicable):
Satellite-5.4.0-RHEL5-re20100817.0

How reproducible:
always

Steps to Reproduce:
1. ./install.pl
2.
3.
  
Actual results:
avc denials

Expected results:
none (avc denial)

Additional info:
Comment 1 Šimon Lukašík 2010-08-17 16:00:21 UTC 
Created attachment 439146 [details]
Avc denials
Comment 2 Šimon Lukašík 2010-08-17 16:02:22 UTC 
Created attachment 439147 [details]
/var/log/rhn/install_db.log
Comment 4 Šimon Lukašík 2010-08-17 20:16:01 UTC 
This is what I see in /var/log/messages during rhn-satellite restart:

Aug 17 16:11:52 hp-ml370g5-01 setroubleshoot: SELinux is preventing sqlplus (oracle_sqlplus_t) "execstack" to <Unknown> (oracle_sqlplus_t). For complete SELinux messages. run sealert -l c96aedbb-0d10-4631-bdae-0b2288d635d5
Comment 5 Milan Zázrivec 2010-08-20 13:14:52 UTC 
thirdparty.git master: 842e58d9de8f7d9994507248061395ed40494e1d
Comment 6 Milan Zázrivec 2010-08-23 14:21:22 UTC 
The fix mentioned above addresses only the problem occurring during
oracle-server start:

    avc:  denied  { execstack } for  comm="sqlplus"
    scontext=root:system_r:oracle_sqlplus_t:s0
    tcontext=root:system_r:oracle_sqlplus_t:s0

To address the avc: denied { search } denials, I created a clone #626420
Comment 8 Šimon Lukašík 2010-09-09 12:54:56 UTC 
Changing to VERIFIED:

Testing procedure:
Automated Galatica installations. (For ex. j:17115). 

Verified against:
Satellite-5.4.0-RHEL5-re20100903.1 (embedded)
Comment 9 Miroslav Suchý 2010-10-22 12:23:13 UTC 
pass beaker test (j:25547)
Comment 10 Clifford Perry 2010-10-28 14:54:39 UTC 
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. 


RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332

RHEA-2010:0803 - RHN Tools enhancement update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333

RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334

RHEA-2010:0800 - RHN Satellite Server 5.4.0
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335

Docs are available:

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html 

Regards,
Clifford
Note You need to log in before you can comment on or make changes to this bug.