Purpose of this clone is to address the 'avc: denied { search } ... ' denials described in bug #624738. The problem is easily reproducible: 1. mount a satellite iso under /mnt/whatever 2. cd /mnt/whatever 3. sqlplus rhnsat/rhnsat@rhnsat 4. SQL> quit 5. grep denied /var/log/audit/audit.log +++ This bug was initially created as a clone of Bug #624738 +++ Description of problem: During installation of Satellite-5.4.0-RHEL5-re20100817.0 a lot of selinux avc denials occurs. There is also failed attempt to restart Oracle DB. + service oracle restart Shutting down Oracle Net Listener ...[ OK ] Shutting down Oracle DB instance "rhnsat" ...[FAILED] sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied /etc/init.d/oracle: line 42: [: 10: unary operator expected Starting Oracle Net Listener ... [ OK ] Starting Oracle DB instance "rhnsat" ... [ OK ] Version-Release number of selected component (if applicable): Satellite-5.4.0-RHEL5-re20100817.0 How reproducible: always Steps to Reproduce: 1. ./install.pl 2. 3. Actual results: avc denials Expected results: none (avc denial) Additional info: --- Additional comment from slukasik on 2010-08-17 12:00:21 EDT --- --- Additional comment from slukasik on 2010-08-17 12:02:22 EDT --- --- Additional comment from slukasik on 2010-08-17 12:03:38 EDT --- Logs come from beaker job: https://beaker.engineering.redhat.com/jobs/12628 --- Additional comment from slukasik on 2010-08-17 16:16:01 EDT --- This is what I see in /var/log/messages during rhn-satellite restart: Aug 17 16:11:52 hp-ml370g5-01 setroubleshoot: SELinux is preventing sqlplus (oracle_sqlplus_t) "execstack" to <Unknown> (oracle_sqlplus_t). For complete SELinux messages. run sealert -l c96aedbb-0d10-4631-bdae-0b2288d635d5 --- Additional comment from mzazrivec on 2010-08-20 09:14:52 EDT --- thirdparty.git master: 842e58d9de8f7d9994507248061395ed40494e1d
The AVC denials that we talk about in this bugzilla are type=AVC msg=audit(1282053398.114:100): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir type=AVC msg=audit(1282053398.114:101): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir type=AVC msg=audit(1282053398.115:102): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir type=AVC msg=audit(1282053398.115:103): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir type=AVC msg=audit(1282053398.115:104): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir type=AVC msg=audit(1282053398.115:105): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir type=AVC msg=audit(1282053398.115:106): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir type=AVC msg=audit(1282053398.115:107): avc: denied { search } for pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
Addressed in Spacewalk master, ec440206d21021c2ba8fdedf3dc9e2b6f1f31386. We just chdir to / now.
Changing to VERIFIED: Testing procedure: Automated Galatica installations. (For ex. j:17115). Verified against: Satellite-5.4.0-RHEL5-re20100903.1 (embedded)
pass beaker test (j:25547)
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332 RHEA-2010:0803 - RHN Tools enhancement update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333 RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334 RHEA-2010:0800 - RHN Satellite Server 5.4.0 https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335 Docs are available: http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html Regards, Clifford