Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 636369

Summary: SELinux is preventing oracle "search" access on OracleXE.
Product: [Community] Spacewalk Reporter: Frank Ybanez <fybanez>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: low    
Version: 1.1CC: dwalsh, jpazdziora, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:fc64c490c77c18e8b32bccb01536680a50f0fac96f093ab74ffaaef178b5be7e
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-20 17:12:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 623772    

Description Frank Ybanez 2010-09-22 00:25:45 UTC 
Summary:

SELinux is preventing oracle "search" access on OracleXE.

Detailed Description:

SELinux denied access requested by oracle. It is not expected that this access
is required by oracle and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:oracle_db_t:s0
Target Context                system_u:object_r:vmblock_t:s0
Target Objects                OracleXE [ dir ]
Source                        oracle
Source Path                   /usr/lib/oracle/xe/app/oracle/product/10.2.0/serve
                              r/bin/oracle
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.34.6-54.fc13.i686.PAE #1 SMP
                              Sun Sep 5 17:33:43 UTC 2010 i686 i686
Alert Count                   184
First Seen                    Mon 20 Sep 2010 04:12:16 PM MST
Last Seen                     Mon 20 Sep 2010 04:12:59 PM MST
Local ID                      8fab0f8f-e303-451f-885f-2daf9d1d114a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1285024379.434:1584): avc:  denied  { search } for  pid=5311 comm="oracle" name="OracleXE" dev=vboxsf ino=123 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:vmblock_t:s0 tclass=dir



Hash String generated from  catchall,oracle,oracle_db_t,vmblock_t,dir,search
audit2allow suggests:

#============= oracle_db_t ==============
allow oracle_db_t vmblock_t:dir search;
Comment 1 Jan Pazdziora (Red Hat) 2010-10-04 16:35:33 UTC 
Frank,

judging by the dev=vboxsf and tcontext=vmblock_t, this looks like related to virtualization that you (I assume) are using.

We could allow the Oracle server to work with the vmblock_t but I'd like to understand what it is and how it is supposed to be used by Oracle.

Could you check around your system to see what the inode 123 is and what is the device being searched?

Thank you,

Jan
Comment 2 Jan Pazdziora (Red Hat) 2010-10-04 16:35:46 UTC 
Taking, BTW.
Comment 3 Frank Ybanez 2010-10-04 17:58:17 UTC 
Ahh, Ok. So this appears to be an AVC exception generated when Oracle tried to access a VMBox shared folder (shared with the VM host system).

So I can understand maybe a purpose for an AVC deny. I think maybe it's reasonable to expect no access to this by a client package. However, I'd like to understand why the server searches this dir.

Maybe Oracle Server looks at all of the available filesystem for this? There could be a use case where a shared folder might need to house Oracle DB files; so maybe it makes sense to make an exception for this context.
Comment 4 Jan Pazdziora (Red Hat) 2010-10-05 06:49:36 UTC 
On my Oracle XE installation, the only filename/directory named "OracleXE" (that's what's being searched in your case) is

/var/lib/menu/kde/Applications/OracleXE

Could you check if that directory is stored on that VMBox? Were you perhaps restarting the service while being chdirred to this directory?

I too would like to understand why Oracle is touching the directory.
Comment 5 Jan Pazdziora (Red Hat) 2010-10-27 08:32:35 UTC 
Mass-aligning under space12, so that we don't lose track of this bugzilla. This however does not mean that we plan (will be able to) address this bug in Spacewalk 1.2.
Comment 6 Jan Pazdziora (Red Hat) 2010-11-19 16:05:46 UTC 
Mass-moving to space13.
Comment 7 Jan Pazdziora (Red Hat) 2010-11-20 17:12:42 UTC 
Closing with INSUFFICIENT_DATA.