Bug 805948 - selinux denials for oracle-xe sqlplus and ptrace
Summary: selinux denials for oracle-xe sqlplus and ptrace
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 1.7
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space18
TreeView+ depends on / blocked
 
Reported: 2012-03-22 14:21 UTC by giovanni.torres
Modified: 2012-11-01 16:19 UTC (History)
1 user (show)

Fixed In Version: oracle-xe-selinux-10.2.0.24-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-01 16:19:42 UTC
Embargoed:

Attachments (Terms of Use)

Description giovanni.torres 2012-03-22 14:21:47 UTC 
Description of problem:

Initially, I followed the oracle backup procedure located here: https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup

I kept getting the following error: Backup of the database failed. flash recovery area is not enabled.

It turns out that selinux is denying sqlplus write access to the /tmp directory, where the backup shell script writes a temporary log file, according to 
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh

Here are the avc denials in my audit.log
# I get a lot of these ptrace denials, though I'm not sure if it is 
# related to the backup problem.
type=AVC msg=audit(1332420943.555:26316): avc:  denied  { ptrace } for  pid=3311 comm="oracle" scontext=system_u:system_r:oracle_db_t:s0 tcontext=root:system_r:oracle_db_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1332421381.606:26336): avc:  denied  { write } for  pid=7522 comm="sqlplus" path="/tmp/rman_fra7512.log" dev=dm-0 ino=19365894 scontext=root:system_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=root:object_r:tmp_t:s0 tclass=file

type=AVC msg=audit(1332421381.614:26337): avc:  denied  { read } for  pid=7523 comm="oracle" path=2F746D702F73682D7468642D31333332343334393739202864656C6574656429 dev=dm-0 ino=19365904 scontext=root:system_r:oracle_db_t:s0-s0:c0.c1023 tcontext=root:object_r:tmp_t:s0 tclass=file

I then use audit2allow to see what would fix the problem:

[root@spacewalk ~]# grep sqlplus /var/log/audit/audit.log | audit2allow -m spacewalksqlplus

module spacewalksqlplus 1.0;

require {
	type tmp_t;
	type oracle_sqlplus_t;
	class file write;
}

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t tmp_t:file write;
[root@spacewalk ~]# grep oracle /var/log/audit/audit.log | audit2allow -m spacewalkoracle

module spacewalkoracle 1.0;

require {
	type tmp_t;
	type oracle_db_t;
	type oracle_sqlplus_t;
	class process ptrace;
	class file { read write };
}

#============= oracle_db_t ==============
allow oracle_db_t self:process ptrace;
allow oracle_db_t tmp_t:file read;

#============= oracle_sqlplus_t ==============
allow oracle_sqlplus_t tmp_t:file write;


I recently upgrade from 1.6 to 1.7.  I am running CentOS 5.8 x86_64 with SELinux in enforcing mode.  I followed the oracle installation steps on the trac website and I have the following oracle packages installed, which include the selinux policy packages:

[root@spacewalk ~]# rpm -qa oracle\*
oracle-xe-selinux-10.2.0.23-1.el5
oracle-instantclient11.2-sqlplus-11.2.0.2.0-1
oracle-instantclient11.2-basic-11.2.0.2.0-1
oracle-instantclient-sqlplus-selinux-11.2.0.1-1.el5
oracle-xe-univ-10.2.0.1-1.0
oracle-instantclient-selinux-11.2.0.1-1.el5
oracle-lib-compat-11.2.0.6-1.el5
oracle-nofcontext-selinux-0.1.23.32-1.el5




Version-Release number of selected component (if applicable):
oracle-xe-selinux-10.2.0.23-1.el5
oracle-instantclient-sqlplus-selinux-11.2.0.1-1.el5

How reproducible:
Always with SELinux enforcing.

Steps to Reproduce:
1. Follow the steps here (https://fedorahosted.org/spacewalk/wiki/SpacewalkBackup) for setting up the archive log in Oracle-XE for online backups.
2. Run the backup script located at 
/usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh
3. Look in audit.log for denials
  
Actual results:
$ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh 
==================== ERROR =========================
             Backup of the database failed          
==================== ERROR =========================
flash recovery area is not enabled.
Log file is at /usr/lib/oracle/xe/oxe_backup_current.log.

Expected results:
$ /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/scripts/backup.sh
Doing online backup of the database.
Backup of the database succeeded.
Log file is at /usr/lib/oracle/xe/oxe_backup_current.log.

Additional info:
I'm not sure what is causing the ptrace denials shown above, but it doesn't seem to be caused by running the backup.sh script.
Comment 1 giovanni.torres 2012-03-23 23:27:59 UTC 
** Update to Description **

I want to reword the actual and expected results so it states that even with the installed *-selinux packages, there are still selinux denials.  The backup script failing to run successfully is not the main problem, but a manifestation of the underlying problem.

Actual Results:
Selinux denials for sqlplus and ptrace.

Expected Results:
No selinux denials for sqlplus and ptrace.
Comment 2 Jan Pazdziora 2012-04-06 10:01:31 UTC 
The ptrace AVC denial was addressed in Spacewalk master, d3ec414a58f5374f957963aa86656ca3449a81e1.

I'm currently not able to reproduce the sqlplus denials (on RHEL 5.8), will investigate some more.
Comment 4 Jan Pazdziora 2012-04-10 12:40:50 UTC 
More fixes fixing the tmp_t issues went to Spacewalk master.

Tagged as oracle-xe-selinux-10.2.0.24-1.
Comment 5 Jan Pazdziora 2012-10-30 19:24:24 UTC 
Moving ON_QA. Packages that address this bugzilla should now be available in yum repos at http://yum.spacewalkproject.org/nightly/
Comment 6 Jan Pazdziora 2012-11-01 16:19:42 UTC 
Spacewalk 1.8 has been released: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes18
Note You need to log in before you can comment on or make changes to this bug.