626420 – sqlplus produces lot of avc denials during ./install.pl

Bug 626420 - sqlplus produces lot of avc denials during ./install.pl

Summary: sqlplus produces lot of avc denials during ./install.pl

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	540
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan Pazdziora
QA Contact:	Šimon Lukašík
Docs Contact:
URL:
Whiteboard:
Depends On:	624738
Blocks:	sat540-blockers
TreeView+	depends on / blocked

Reported:	2010-08-23 14:16 UTC by Milan Zázrivec
Modified:	2010-10-28 14:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:	spacewalk-admin-1.2.2-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:	624738
Environment:
Last Closed:	2010-10-28 14:53:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Milan Zázrivec 2010-08-23 14:16:32 UTC

Purpose of this clone is to address the 'avc:  denied  { search } ... '
denials described in bug #624738.

The problem is easily reproducible:
1. mount a satellite iso under /mnt/whatever
2. cd /mnt/whatever
3. sqlplus rhnsat/rhnsat@rhnsat
4. SQL> quit
5. grep denied /var/log/audit/audit.log

+++ This bug was initially created as a clone of Bug #624738 +++

Description of problem:
During installation of Satellite-5.4.0-RHEL5-re20100817.0 a lot of selinux avc denials occurs. There is also failed attempt to restart Oracle DB.

+ service oracle restart
Shutting down Oracle Net Listener ...[  OK  ]
Shutting down Oracle DB instance "rhnsat" ...[FAILED]
sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied
/etc/init.d/oracle: line 42: [: 10: unary operator expected
Starting Oracle Net Listener ... [  OK  ]
Starting Oracle DB instance "rhnsat" ... [  OK  ]

Version-Release number of selected component (if applicable):
Satellite-5.4.0-RHEL5-re20100817.0

How reproducible:
always

Steps to Reproduce:
1. ./install.pl
2.
3.
  
Actual results:
avc denials

Expected results:
none (avc denial)

Additional info:

--- Additional comment from slukasik on 2010-08-17 12:00:21 EDT ---



--- Additional comment from slukasik on 2010-08-17 12:02:22 EDT ---



--- Additional comment from slukasik on 2010-08-17 12:03:38 EDT ---

Logs come from beaker job:
https://beaker.engineering.redhat.com/jobs/12628

--- Additional comment from slukasik on 2010-08-17 16:16:01 EDT ---

This is what I see in /var/log/messages during rhn-satellite restart:

Aug 17 16:11:52 hp-ml370g5-01 setroubleshoot: SELinux is preventing sqlplus (oracle_sqlplus_t) "execstack" to <Unknown> (oracle_sqlplus_t). For complete SELinux messages. run sealert -l c96aedbb-0d10-4631-bdae-0b2288d635d5

--- Additional comment from mzazrivec on 2010-08-20 09:14:52 EDT ---

thirdparty.git master: 842e58d9de8f7d9994507248061395ed40494e1d

Comment 1 Jan Pazdziora 2010-08-26 09:49:58 UTC

The AVC denials that we talk about in this bugzilla are

type=AVC msg=audit(1282053398.114:100): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.114:101): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:102): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:103): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:104): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:105): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:106): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:107): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir

Comment 2 Jan Pazdziora 2010-08-26 13:08:38 UTC

Addressed in Spacewalk master, ec440206d21021c2ba8fdedf3dc9e2b6f1f31386.

We just chdir to / now.

Comment 4 Šimon Lukašík 2010-09-09 12:54:11 UTC

Changing to VERIFIED:

Testing procedure:
Automated Galatica installations. (For ex. j:17115). 

Verified against:
Satellite-5.4.0-RHEL5-re20100903.1 (embedded)

Comment 5 Miroslav Suchý 2010-10-22 12:23:02 UTC

pass beaker test (j:25547)

Comment 6 Clifford Perry 2010-10-28 14:48:57 UTC

The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. 


RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332

RHEA-2010:0803 - RHN Tools enhancement update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333

RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334

RHEA-2010:0800 - RHN Satellite Server 5.4.0
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335

Docs are available:

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html 

Regards,
Clifford

Note You need to log in before you can comment on or make changes to this bug.