Bug 805948 - selinux denials for oracle-xe sqlplus and ptrace
selinux denials for oracle-xe sqlplus and ptrace
Status: CLOSED CURRENTRELEASE
Product: Spacewalk
Classification: Community
Component: Server (Show other bugs)
1.7
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Pazdziora
Red Hat Satellite QA List
:
Depends On:
Blocks: space18
  Show dependency treegraph
 
Reported: 2012-03-22 10:21 EDT by giovtorres
Modified: 2012-11-01 12:19 EDT (History)
1 user (show)

See Also:
Fixed In Version: oracle-xe-selinux-10.2.0.24-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-11-01 12:19:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description giovtorres 2012-03-22 10:21:47 EDT
Description of problem:

Initially, I followed the oracle backup procedure located here: https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup

I kept getting the following error: Backup of the database failed. flash recovery area is not enabled.

It turns out that selinux is denying sqlplus write access to the /tmp directory, where the backup shell script writes a temporary log file, according to 
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh

Here are the avc denials in my audit.log
# I get a lot of these ptrace denials, though I'm not sure if it is 
# related to the backup problem.
type=AVC msg=audit(1332420943.555:26316): avc:  denied  { ptrace } for  pid=3311 comm="oracle" scontext=system_u:system_r:oracle_db_t:s0 tcontext=root:system_r:oracle_db_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1332421381.606:26336): avc:  denied  { write } for  pid=7522 comm="sqlplus" path="/tmp/rman_fra7512.log" dev=dm-0 ino=19365894 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=root:object_r:tmp_t:s0 tclass=file

type=AVC msg=audit(1332421381.614:26337): avc:  denied  { read } for  pid=7523 comm="oracle" path=2F746D702F73682D7468642D31333332343334393739202864656C6574656429 dev=dm-0 ino=19365904 scontext=root:system_r:oracle_db_t:s0-s0:c0.c1023 tcontext=root:object_r:tmp_t:s0 tclass=file

I then use audit2allow to see what would fix the problem:

[root@spacewalk ~]# grep sqlplus /var/log/audit/audit.log | audit2allow -m spacewalksqlplus

module spacewalksqlplus 1.0;

require {
	type tmp_t;
	type oracle_sqlplus_t;
	class file write;
}

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t tmp_t:file write;
[root@spacewalk ~]# grep oracle /var/log/audit/audit.log | audit2allow -m spacewalkoracle

module spacewalkoracle 1.0;

require {
	type tmp_t;
	type oracle_db_t;
	type oracle_sqlplus_t;
	class process ptrace;
	class file { read write };
}

#============= oracle_db_t ==============
allow oracle_db_t self:process ptrace;
allow oracle_db_t tmp_t:file read;

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t tmp_t:file write;


I recently upgrade from 1.6 to 1.7.  I am running CentOS 5.8 x86_64 with SELinux in enforcing mode.  I followed the oracle installation steps on the trac website and I have the following oracle packages installed, which include the selinux policy packages:

[root@spacewalk ~]# rpm -qa oracle\*
oracle-xe-selinux-10.2.0.23-1.el5
oracle-instantclient11.2-sqlplus-11.2.0.2.0-1
oracle-instantclient11.2-basic-11.2.0.2.0-1
oracle-instantclient-sqlplus-selinux-11.2.0.1-1.el5
oracle-xe-univ-10.2.0.1-1.0
oracle-instantclient-selinux-11.2.0.1-1.el5
oracle-lib-compat-11.2.0.6-1.el5
oracle-nofcontext-selinux-0.1.23.32-1.el5




Version-Release number of selected component (if applicable):
oracle-xe-selinux-10.2.0.23-1.el5
oracle-instantclient-sqlplus-selinux-11.2.0.1-1.el5

How reproducible:
Always with SELinux enforcing.

Steps to Reproduce:
1. Follow the steps here (https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup) for setting up the archive log in Oracle-XE for online backups.
2. Run the backup script located at 
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh
3. Look in audit.log for denials
  
Actual results:
$ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh 
==================== ERROR =========================
             Backup of the database failed          
==================== ERROR =========================
flash recovery area is not enabled.
Log file is at /usr/lib/oracle/xe/oxe_backup_current.log.

Expected results:
$ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh
Doing online backup of the database.
Backup of the database succeeded.
Log file is at /usr/lib/oracle/xe/oxe_backup_current.log.

Additional info:
I'm not sure what is causing the ptrace denials shown above, but it doesn't seem to be caused by running the backup.sh script.
Comment 1 giovtorres 2012-03-23 19:27:59 EDT
** Update to Description **

I want to reword the actual and expected results so it states that even with the installed *-selinux packages, there are still selinux denials.  The backup script failing to run successfully is not the main problem, but a manifestation of the underlying problem.

Actual Results:
Selinux denials for sqlplus and ptrace.

Expected Results:
No selinux denials for sqlplus and ptrace.
Comment 2 Jan Pazdziora 2012-04-06 06:01:31 EDT
The ptrace AVC denial was addressed in Spacewalk master, d3ec414a58f5374f957963aa86656ca3449a81e1.

I'm currently not able to reproduce the sqlplus denials (on RHEL 5.8), will investigate some more.
Comment 4 Jan Pazdziora 2012-04-10 08:40:50 EDT
More fixes fixing the tmp_t issues went to Spacewalk master.

Tagged as oracle-xe-selinux-10.2.0.24-1.
Comment 5 Jan Pazdziora 2012-10-30 15:24:24 EDT
Moving ON_QA. Packages that address this bugzilla should now be available in yum repos at http://yum.spacewalkproject.org/nightly/
Comment 6 Jan Pazdziora 2012-11-01 12:19:42 EDT
Spacewalk 1.8 has been released: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes18

Note You need to log in before you can comment on or make changes to this bug.