Are you able to also get the AVC denial when you use the https://the-satellite.fqdn/help/forgot_password.pxt and the Email Address / Send Login part of that page? Or is the email delivered without issues in this case?
Also, are you able to get the AVC denial when you use https://FQDN/rhn/users/UserDetails.do?uid=26x ? Note the x in that parameter which should cause the thing to send traceback email. Does the traceback email get sent fine or are any AVC denials logged?
this is git/satellite/selinux/oracle-rhnsat-selinux/oracle-rhnsat.te: 1 policy_module(oracle-rhnsat,@@VERSION@@) 2 3 require { 4 type initrc_t; 5 type oracle_db_t; 6 type oracle_db_log_t; 7 type oracle_sqlplus_t; 8 type initrc_tmp_t; 9 type oracle_tnslsnr_t; 10 type oracle_tnslsnr_log_t; 11 type oracle_lsnrctl_t; 12 }; 13 14 # Type for common, read-only directories 15 type oracle_dir_t; 16 files_type(oracle_dir_t); I'm wondering if we need an extra line in there for /rhnsat (oracle_dir_t) as a filesystem mountpoint: files_mountpoint(oracle_dir_t); dist-git/selinux-policy/serefpolicy-2.4.6/policy/modules/kernel/files.if 61 ######################################## 62 ## <summary> 63 ## Make the specified type usable for 64 ## filesystem mount points. 65 ## </summary> 66 ## <param name="type"> 67 ## <summary> 68 ## Type to be used for mount points. 69 ## </summary> 70 ## </param> 71 # 72 interface(`files_mountpoint',` 73 gen_require(` 74 attribute mountpoint; 75 ') 76 77 files_type($1) 78 typeattribute $1 mountpoint; 79 ') postfix already has the ability to search mountpoints: [mhuth@mhuth-laptop services]$ grep mountpoint postfix.* postfix.if: fs_search_auto_mountpoints(postfix_$1_t) postfix.if: files_search_all_mountpoints(postfix_$1_t) dist-git/selinux-policy/serefpolicy-2.4.6/policy/modules/kernel/files.if 1017 ######################################## 1018 ## <summary> 1019 ## Search all mount points. 1020 ## </summary> 1021 ## <param name="domain"> 1022 ## <summary> 1023 ## Domain allowed access. 1024 ## </summary> 1025 ## </param> 1026 # 1027 interface(`files_search_all_mountpoints',` 1028 gen_require(` 1029 attribute mountpoint; 1030 ') 1031 1032 allow $1 mountpoint:dir search_dir_perms; 1033 ') So by making oracle_dir_t an SELinux mountpoint type, postfix should be able to search it (do a stat on it) without generating the getattr denial.
Created attachment 604831 [details] Replaces files_type(oracle_dir_t) with files_mountpoint(oracle_dir_t) The customer confirmed the following SELinux policy fixed the problem for them: policy_module(oracle-rhnsat-mountpoint, 1.0) require { type oracle_dir_t; } files_mountpoint(oracle_dir_t); The patch replaces files_type with files_mountpoint in oracle-rhnsat.te, because according to the SELinux policy, files_mountpoint is a superset of files_type: From selinux-policy/serefpolicy-3.7.19/policy/modules/kernel/files.if ######################################## ## <summary> ## Make the specified type usable for ## filesystem mount points. ## </summary> ## <param name="type"> ## <summary> ## Type to be used for mount points. ## </summary> ## </param> # interface(`files_mountpoint',` gen_require(` attribute mountpoint; ') files_type($1) typeattribute $1 mountpoint; ')
Created a scratch build of oracle-rhnsat-selinux for the customer to test the patch: https://brewweb.devel.redhat.com/taskinfo?taskID=4770606
Hello Mark, Please let us know if the test package addressed the customer's issue. Thank you.
Customer has confirmed they are no longer encountering the SELinux denial, either creating users or in their overnight reports. <customer> I can confirm that the overnight reports have not raised an SELinux alert. I didn't think they would either, but thought it best to verify to you guys. Thanks for all your help - this ticket's been quite a long one! Could you let me know if & when this fix is agreed to be part of Satellite 5.5 please? </customer>
The secret to reproducer is in comment 20. Namely, the machine needs to have both /rhnsat and /var as mountpoints. That fsspace() call is done as fsspace(".", &fsbuf) -- that is why the whole /proc/mounts is parsed. I believe the /rhnsat needs to be in /proc/mounts before /var but I did not check this.
A mere # echo Test | mail root will trigger the AVC denial is such a case.
(In reply to comment #32) > The secret to reproducer is in comment 20. > > Namely, the machine needs to have both /rhnsat and /var as mountpoints. That > fsspace() call is done as > > fsspace(".", &fsbuf) ... while the cwd of smtpd is something under /var.
Public summary: Every day around 23:00, Satellite generates AVC denial type=AVC msg=audit(1321484405.181:5911): avc: denied { getattr } for pid=11360 comm="smtpd" path="/rhnsat" dev=dm-7 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:oracle_dir_t:s0 tclass=dir
I've opted for dontaudit, per similar fix for bug 245268. Fixed in Spacewalk master, 01a3088cb86c2e607ec47ca446e075c1e7e1701f.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1421.html