Bug 626420 - sqlplus produces lot of avc denials during ./install.pl
sqlplus produces lot of avc denials during ./install.pl
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
540
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Šimon Lukašík
:
Depends On: 624738
Blocks: sat540-blockers
  Show dependency treegraph
 
Reported: 2010-08-23 10:16 EDT by Milan Zázrivec
Modified: 2010-10-28 10:53 EDT (History)
3 users (show)

See Also:
Fixed In Version: spacewalk-admin-1.2.2-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 624738
Environment:
Last Closed: 2010-10-28 10:53:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Zázrivec 2010-08-23 10:16:32 EDT
Purpose of this clone is to address the 'avc:  denied  { search } ... '
denials described in bug #624738.

The problem is easily reproducible:
1. mount a satellite iso under /mnt/whatever
2. cd /mnt/whatever
3. sqlplus rhnsat/rhnsat@rhnsat
4. SQL> quit
5. grep denied /var/log/audit/audit.log

+++ This bug was initially created as a clone of Bug #624738 +++

Description of problem:
During installation of Satellite-5.4.0-RHEL5-re20100817.0 a lot of selinux avc denials occurs. There is also failed attempt to restart Oracle DB.

+ service oracle restart
Shutting down Oracle Net Listener ...[  OK  ]
Shutting down Oracle DB instance "rhnsat" ...[FAILED]
sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied
/etc/init.d/oracle: line 42: [: 10: unary operator expected
Starting Oracle Net Listener ... [  OK  ]
Starting Oracle DB instance "rhnsat" ... [  OK  ]

Version-Release number of selected component (if applicable):
Satellite-5.4.0-RHEL5-re20100817.0

How reproducible:
always

Steps to Reproduce:
1. ./install.pl
2.
3.
  
Actual results:
avc denials

Expected results:
none (avc denial)

Additional info:

--- Additional comment from slukasik@redhat.com on 2010-08-17 12:00:21 EDT ---



--- Additional comment from slukasik@redhat.com on 2010-08-17 12:02:22 EDT ---



--- Additional comment from slukasik@redhat.com on 2010-08-17 12:03:38 EDT ---

Logs come from beaker job:
https://beaker.engineering.redhat.com/jobs/12628

--- Additional comment from slukasik@redhat.com on 2010-08-17 16:16:01 EDT ---

This is what I see in /var/log/messages during rhn-satellite restart:

Aug 17 16:11:52 hp-ml370g5-01 setroubleshoot: SELinux is preventing sqlplus (oracle_sqlplus_t) "execstack" to <Unknown> (oracle_sqlplus_t). For complete SELinux messages. run sealert -l c96aedbb-0d10-4631-bdae-0b2288d635d5

--- Additional comment from mzazrivec@redhat.com on 2010-08-20 09:14:52 EDT ---

thirdparty.git master: 842e58d9de8f7d9994507248061395ed40494e1d
Comment 1 Jan Pazdziora 2010-08-26 05:49:58 EDT
The AVC denials that we talk about in this bugzilla are

type=AVC msg=audit(1282053398.114:100): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.114:101): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:102): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:103): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:104): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:105): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:106): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:107): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
Comment 2 Jan Pazdziora 2010-08-26 09:08:38 EDT
Addressed in Spacewalk master, ec440206d21021c2ba8fdedf3dc9e2b6f1f31386.

We just chdir to / now.
Comment 4 Šimon Lukašík 2010-09-09 08:54:11 EDT
Changing to VERIFIED:

Testing procedure:
Automated Galatica installations. (For ex. j:17115). 

Verified against:
Satellite-5.4.0-RHEL5-re20100903.1 (embedded)
Comment 5 Miroslav Suchý 2010-10-22 08:23:02 EDT
pass beaker test (j:25547)
Comment 6 Clifford Perry 2010-10-28 10:48:57 EDT
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. 


RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332

RHEA-2010:0803 - RHN Tools enhancement update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333

RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334

RHEA-2010:0800 - RHN Satellite Server 5.4.0
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335

Docs are available:

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html 

Regards,
Clifford

Note You need to log in before you can comment on or make changes to this bug.