Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1029894 - getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir' after upgrade to glibc-2.12-1.132.el6.x86_64
Summary: getting 'type=AVC msg=audit(...): avc: denied { search } for pid=... comm=...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 560
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michael Mráka
QA Contact: Jiří Mikulka
URL:
Whiteboard:
Depends On: 1031387
Blocks: sat560-triage 1043410
TreeView+ depends on / blocked
 
Reported: 2013-11-13 13:26 UTC by Jan Hutař
Modified: 2014-10-06 13:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1031387 1043410 (view as bug list)
Environment:
Last Closed: 2013-12-04 15:42:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1782 normal SHIPPED_LIVE Red Hat Network Satellite server oracle-selinux bug fix update 2013-12-04 20:41:55 UTC

Description Jan Hutař 2013-11-13 13:26:01 UTC
Description of problem:
After upgrade of RHEL-6.4 with Satellite 5.5.0 installed to glibc-2.12-1.132.el6.x86_64, I started to getting one AVC each ~ 5 - 10 seconds. Also seen on 5.4.1, but not on 5.6.0.


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.18.noarch
glibc-2.12-1.132.el6.x86_64


How reproducible:
always


Steps to Reproduce:
1. Take RHEL 6.4, install Satellite 5.5.0 with embedded Oracle DB on it
2. Upgrade to glibc-2.12-1.132.el6.x86_64 and restart Satellite


Actual results:
Each ~ 5 - 10 seconds this SELinux AVC message is generated:

type=AVC msg=audit(1384348955.069:2073): avc:  denied  { search } for  pid=9003 comm="oracle" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:oracle_db_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

# ps 9003
  PID TTY      STAT   TIME COMMAND
 9003 ?        Ss     0:00 ora_mmnl_rhnsat


Expected results:
No AVCs should be generated

Comment 3 Jan Hutař 2013-11-15 07:31:13 UTC
SYSCALL generated together with AVC:

type=SYSCALL msg=audit(1384353538.383:6728): arch=c000003e syscall=2 per=400000 success=no exit=-13 a0=7fa5c93d82b8 a1=80000 a2=1ffffd44d7d7 a3=4 items=0 ppid=1 pid=6995 auid=4294967295 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="oracle" exe="/opt/apps/oracle/web/product/10.2.0/db_1/bin/oracle" subj=unconfined_u:system_r:oracl

Comment 5 Michael Mráka 2013-11-15 10:59:37 UTC
Fixed in spacewalk master by
commit 6aa92f5df543de175fcd46a88f7e4b67d1988fa2
    1029894 - allow oracle read sysfs

Comment 6 Jan Hutař 2013-11-15 21:08:23 UTC
Just noted this message as well on 5.6.0 with embedded PostgreSQL:

time->Thu Nov 14 21:55:27 2013
type=SYSCALL msg=audit(1384484127.268:573): arch=c000003e syscall=2 success=no exit=-13 a0=7f18c9ad52b8 a1=80000 a2=2803ff a3=7f1897fff9d0 items=0 ppid=1 pid=27689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384484127.268:573): avc:  denied  { search } for  pid=27689 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Comment 8 Jan Hutař 2013-11-18 07:20:44 UTC
In some very rare cases I do see similar AVC generated by cobbler as well:

time->Sun Nov 17 17:04:05 2013
type=SYSCALL msg=audit(1384725845.423:561): arch=c000003e syscall=2 success=no exit=-13 a0=7faf000582b8 a1=80000 a2=2803ff a3=7faeeabfd9d0 items=0 ppid=1 pid=18537 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1384725845.423:561): avc:  denied  { search } for  pid=18537 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Comment 10 Jan Hutař 2013-11-18 08:01:55 UTC
When in Permissive, these AVCs got recorded:

type=AVC msg=audit(1384760968.366:1448): avc:  denied  { search } for  pid=19262 comm="cobblerd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1384760968.366:1448): avc:  denied  { read } for  pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1384760968.366:1448): avc:  denied  { open } for  pid=19262 comm="cobblerd" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

And inode 23 is:

/sys/devices/system/cpu/online

which contains:

# cat /sys/devices/system/cpu/online
0-31

and really, I'm on system with 32 processors:

# cat /proc/cpuinfo | grep ^processor | wc -l
32

Comment 16 errata-xmlrpc 2013-12-04 15:42:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1782.html


Note You need to log in before you can comment on or make changes to this bug.