Bug 626420 - sqlplus produces lot of avc denials during ./install.pl
Summary: sqlplus produces lot of avc denials during ./install.pl
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server   
(Show other bugs)
Version: 540
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Šimon Lukašík
URL:
Whiteboard:
Keywords:
Depends On: 624738
Blocks: sat540-blockers
TreeView+ depends on / blocked
 
Reported: 2010-08-23 14:16 UTC by Milan Zázrivec
Modified: 2010-10-28 14:53 UTC (History)
3 users (show)

Fixed In Version: spacewalk-admin-1.2.2-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 624738
Environment:
Last Closed: 2010-10-28 14:53:44 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Milan Zázrivec 2010-08-23 14:16:32 UTC
Purpose of this clone is to address the 'avc:  denied  { search } ... '
denials described in bug #624738.

The problem is easily reproducible:
1. mount a satellite iso under /mnt/whatever
2. cd /mnt/whatever
3. sqlplus rhnsat/rhnsat@rhnsat
4. SQL> quit
5. grep denied /var/log/audit/audit.log

+++ This bug was initially created as a clone of Bug #624738 +++

Description of problem:
During installation of Satellite-5.4.0-RHEL5-re20100817.0 a lot of selinux avc denials occurs. There is also failed attempt to restart Oracle DB.

+ service oracle restart
Shutting down Oracle Net Listener ...[  OK  ]
Shutting down Oracle DB instance "rhnsat" ...[FAILED]
sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied
/etc/init.d/oracle: line 42: [: 10: unary operator expected
Starting Oracle Net Listener ... [  OK  ]
Starting Oracle DB instance "rhnsat" ... [  OK  ]

Version-Release number of selected component (if applicable):
Satellite-5.4.0-RHEL5-re20100817.0

How reproducible:
always

Steps to Reproduce:
1. ./install.pl
2.
3.
  
Actual results:
avc denials

Expected results:
none (avc denial)

Additional info:

--- Additional comment from slukasik@redhat.com on 2010-08-17 12:00:21 EDT ---



--- Additional comment from slukasik@redhat.com on 2010-08-17 12:02:22 EDT ---



--- Additional comment from slukasik@redhat.com on 2010-08-17 12:03:38 EDT ---

Logs come from beaker job:
https://beaker.engineering.redhat.com/jobs/12628

--- Additional comment from slukasik@redhat.com on 2010-08-17 16:16:01 EDT ---

This is what I see in /var/log/messages during rhn-satellite restart:

Aug 17 16:11:52 hp-ml370g5-01 setroubleshoot: SELinux is preventing sqlplus (oracle_sqlplus_t) "execstack" to <Unknown> (oracle_sqlplus_t). For complete SELinux messages. run sealert -l c96aedbb-0d10-4631-bdae-0b2288d635d5

--- Additional comment from mzazrivec@redhat.com on 2010-08-20 09:14:52 EDT ---

thirdparty.git master: 842e58d9de8f7d9994507248061395ed40494e1d

Comment 1 Jan Pazdziora 2010-08-26 09:49:58 UTC
The AVC denials that we talk about in this bugzilla are

type=AVC msg=audit(1282053398.114:100): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.114:101): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:102): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:103): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:104): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:105): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:106): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
type=AVC msg=audit(1282053398.115:107): avc:  denied  { search } for  pid=31426 comm="sqlplus" name="/" dev=loop0 ino=1792 scontext=root:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir

Comment 2 Jan Pazdziora 2010-08-26 13:08:38 UTC
Addressed in Spacewalk master, ec440206d21021c2ba8fdedf3dc9e2b6f1f31386.

We just chdir to / now.

Comment 4 Šimon Lukašík 2010-09-09 12:54:11 UTC
Changing to VERIFIED:

Testing procedure:
Automated Galatica installations. (For ex. j:17115). 

Verified against:
Satellite-5.4.0-RHEL5-re20100903.1 (embedded)

Comment 5 Miroslav Suchý 2010-10-22 12:23:02 UTC
pass beaker test (j:25547)

Comment 6 Clifford Perry 2010-10-28 14:48:57 UTC
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. 


RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332

RHEA-2010:0803 - RHN Tools enhancement update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333

RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334

RHEA-2010:0800 - RHN Satellite Server 5.4.0
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335

Docs are available:

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html 

Regards,
Clifford


Note You need to log in before you can comment on or make changes to this bug.