Summary: SELinux is preventing oracle "search" access on OracleXE. Detailed Description: SELinux denied access requested by oracle. It is not expected that this access is required by oracle and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:oracle_db_t:s0 Target Context system_u:object_r:vmblock_t:s0 Target Objects OracleXE [ dir ] Source oracle Source Path /usr/lib/oracle/xe/app/oracle/product/10.2.0/serve r/bin/oracle Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-54.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.34.6-54.fc13.i686.PAE #1 SMP Sun Sep 5 17:33:43 UTC 2010 i686 i686 Alert Count 184 First Seen Mon 20 Sep 2010 04:12:16 PM MST Last Seen Mon 20 Sep 2010 04:12:59 PM MST Local ID 8fab0f8f-e303-451f-885f-2daf9d1d114a Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1285024379.434:1584): avc: denied { search } for pid=5311 comm="oracle" name="OracleXE" dev=vboxsf ino=123 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:vmblock_t:s0 tclass=dir Hash String generated from catchall,oracle,oracle_db_t,vmblock_t,dir,search audit2allow suggests: #============= oracle_db_t ============== allow oracle_db_t vmblock_t:dir search;
Frank, judging by the dev=vboxsf and tcontext=vmblock_t, this looks like related to virtualization that you (I assume) are using. We could allow the Oracle server to work with the vmblock_t but I'd like to understand what it is and how it is supposed to be used by Oracle. Could you check around your system to see what the inode 123 is and what is the device being searched? Thank you, Jan
Taking, BTW.
Ahh, Ok. So this appears to be an AVC exception generated when Oracle tried to access a VMBox shared folder (shared with the VM host system). So I can understand maybe a purpose for an AVC deny. I think maybe it's reasonable to expect no access to this by a client package. However, I'd like to understand why the server searches this dir. Maybe Oracle Server looks at all of the available filesystem for this? There could be a use case where a shared folder might need to house Oracle DB files; so maybe it makes sense to make an exception for this context.
On my Oracle XE installation, the only filename/directory named "OracleXE" (that's what's being searched in your case) is /var/lib/menu/kde/Applications/OracleXE Could you check if that directory is stored on that VMBox? Were you perhaps restarting the service while being chdirred to this directory? I too would like to understand why Oracle is touching the directory.
Mass-aligning under space12, so that we don't lose track of this bugzilla. This however does not mean that we plan (will be able to) address this bug in Spacewalk 1.2.
Mass-moving to space13.
Closing with INSUFFICIENT_DATA.