Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 646862

Summary: Selinux denial: db-control gather-stats
Product: Red Hat Satellite 5 Reporter: Petr Sklenar <psklenar>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED DEFERRED QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 540CC: jhutar, jpazdziora, msuchy
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-04 13:25:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 462714    

Description Petr Sklenar 2010-10-26 13:51:44 UTC 
Description of problem:
there is selinux denial during db-control gather-stats

Version-Release number of selected component (if applicable):
Satellite-5.4.0-RHEL5-re20101025.0

rpm -qa | grep selinux
oracle-rhnsat-selinux-10.2.0.16-2.el5sat
libselinux-1.33.4-5.5.el5
jabberd-selinux-1.4.9-2.el5sat
spacewalk-monitoring-selinux-1.1.1-1.el5sat
libselinux-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
selinux-policy-devel-2.4.6-279.el5_5.1
oracle-nofcontext-selinux-0.1.23.19-2.el5sat
selinux-policy-2.4.6-279.el5_5.1
selinux-policy-targeted-2.4.6-279.el5_5.1
oracle-instantclient-sqlplus-selinux-10.2.0.19-2.el5sat
spacewalk-selinux-1.2.1-1.el5sat
libselinux-utils-1.33.4-5.5.el5
oracle-instantclient-selinux-10.2.0.19-2.el5sat
osa-dispatcher-selinux-5.9.38-1.el5sat

How reproducible:
always

Steps to Reproduce:
1. su - oracle
2. db-control gather-stats
  
Actual results:
tail -f /var/log/audit/audit.log | grep den &

su - oracle
-bash-3.2$ db-control gather-stats
Gathering statistics...
WARNING: this may be a very slow process.
type=AVC msg=audit(1288100394.312:8144): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100397.315:8145): avc:  denied  { search } for  pid=11565 comm="oracle" name="17678" dev=proc ino=1158545410 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100397.316:8146): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100409.320:8147): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100457.332:8148): avc:  denied  { search } for  pid=11565 comm="oracle" name="17678" dev=proc ino=1158545410 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100457.332:8149): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100517.352:8150): avc:  denied  { search } for  pid=11565 comm="oracle" name="17678" dev=proc ino=1158545410 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100517.353:8151): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100565.362:8152): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100577.367:8153): avc:  denied  { search } for  pid=11565 comm="oracle" name="17678" dev=proc ino=1158545410 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100577.367:8154): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100637.384:8155): avc:  denied  { search } for  pid=11565 comm="oracle" name="17678" dev=proc ino=1158545410 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100637.384:8156): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100676.396:8157): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100697.406:8158): avc:  denied  { search } for  pid=11565 comm="oracle" name="17678" dev=proc ino=1158545410 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1288100697.406:8159): avc:  denied  { search } for  pid=11565 comm="oracle" name="17680" dev=proc ino=1158676482 scontext=root:system_r:oracle_db_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
done.


Expected results:
no denial

Additional info:
Comment 1 Miroslav Suchý 2012-03-23 15:16:37 UTC 
I can still see it in current 541 code:
type=AVC msg=audit(1332515524.871:645): avc:  denied  { search } for  pid=4828 comm="oracle" name="4885" dev=proc ino=418131 scontext=unconfined_u:unconfined_r:oracle_db_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1332515524.873:646): avc:  denied  { search } for  pid=4828 comm="oracle" name="4887" dev=proc ino=418152 scontext=unconfined_u:unconfined_r:oracle_db_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
Comment 2 Miroslav Suchý 2012-03-23 15:24:29 UTC 
The solution can be this policy:

allow oracle_db_t unconfined_t:dir search;
Comment 3 Miroslav Suchý 2012-03-23 15:37:18 UTC 
Hmm, but this is not oracle cause. As pure:
begin dbms_stats.gather_schema_stats(NULL, ESTIMATE_PERCENT=>15, DEGREE=>DBMS_STATS.DEFAULT_DEGREE, CASCADE=>TRUE); end;
produce no avc denial. So it must be caused by something in db-control itself.
Comment 4 Jan Pazdziora (Red Hat) 2012-03-23 15:38:07 UTC 
It's reading of the /proc directory, probably trying to list processes or something.

I would not allow it -- if something, I'd dontaudit it.

By the way, you've closed bug 646863 but I believe that one is still valid. The AVC denials are not deterministic -- sometimes the database decides to do the search, sometimes it does not.

It you were able to see it on live system, it would help if we knew what was the process 4828 exactly -- can you ps it and find out which of the Oracle processes it was? Ideally you'd also want to strace it or otherwise find out when/why it goes to search that /proc directory. Maybe there is some configuration to stop it from doing it.
Comment 5 Miroslav Suchý 2012-03-23 21:13:49 UTC 
# ps axf |grep 4828
 5662 pts/0    S+     0:00          \_ grep 4828
 4828 ?        Ss     0:02 ora_pmon_rhnsat