Hide Forgot
Description of problem: There once was no port type defined for ports used by the Oracle database (1521). Then Spacewalk started to use oracle_port_t. Then Fedora added that type. That lead to a bit of conflict because the type cannot be defined both in the base policy and in the module. The fix was in Fedora to start using oracledb_port_t. That however turned out to be bad as well because we couldn't have two types use the same value (1521). So the oracledb_port_t was reverted to oracle_port_t in Fedora and in Spacewalk we made the port definition optional, in separate SELinux module. However, the revert did not make it to (then) rawhide, so now we have the oracledb_port_t in Fedora 15 (and I assume in rawhide as well). Please revert the oracledb_port_t type to oracle_port_t both in Fedora 15 and in rawhide. Version-Release number of selected component (if applicable): # rpm -qa selinux-policy* selinux-policy-3.9.16-34.fc15.noarch selinux-policy-targeted-3.9.16-34.fc15.noarch How reproducible: Deterministic. Steps to Reproduce: 1. # semanage port -l | grep oracle Actual results: oracledb_port_t tcp 9055, 1521, 2483, 2484 oracledb_port_t udp 1521, 2483, 2484 Expected results: oracle_port_t tcp 9055, 1521, 2483, 2484 oracle_port_t udp 1521, 2483, 2484 Additional info:
Ok, the same issue which we had with Fedora14.
We added this fix to spec file %define loadpolicy() \ ( cd /usr/share/selinux/%1; \ semodule -r oracle-port -b base.pp.bz2 -i %2 -s %1 2>&1 | grep -v "oracle-port"; \ ); \
(In reply to comment #2) > We added this fix to spec file > > %define loadpolicy() \ > ( cd /usr/share/selinux/%1; \ > semodule -r oracle-port -b base.pp.bz2 -i %2 -s %1 2>&1 | grep -v > "oracle-port"; \ > ); \ Actually, this is probably not needed for Fedora 15 and rawhide at all -- there should be no oracle-port module loaded on those OSes. It was an upgrade thing on Fedora 14 and RHEL 6 (I believe). For Fedora 14 and higher, we now assume the base policy defines the type. We would just need the type to be oracle_port_t.
Ok, then the fix is -network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) +network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
(In reply to comment #4) > Ok, then the fix is > > -network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, > tcp,2484,s0, udp,2484,s0) > +network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, > tcp,2484,s0, udp,2484,s0) Yes Sir. Thank you.
Fixed in selinux-policy-3.9.16-35.fc15
selinux-policy-3.9.16-35.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15
(In reply to comment #7) > selinux-policy-3.9.16-35.fc15 has been submitted as an update for Fedora 15. > https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15 Works just fine, thank you. Can you apply the same change to rawhide?
Applied. Just building a new release.
Package selinux-policy-3.9.16-35.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-35.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-35.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.