Description of problem: When selinux is enforcing and we try install Satellite with external Oracle DB, installation fail with error message "Could not populate database.". Version-Release number of selected component (if applicable): Sat5.4.1 Sat5.5.0 Sat5.6.0 How reproducible: 100% Steps to Reproduce: 1. check status of selinux and switch on its. > setenforce 1 2. run installation > > ./install.pl --external-oracle # Sat5.6.0 > ./install.pl --external-db # Sat5.5.0 > ./install.pl # Sat5.4.1 ISO without embedded DB 3. Continue in installation # SAT 5.6.0 and SAT 5.5.0 ----------------------------------- * Starting the Spacewalk installer. * Performing pre-install checks. * Pre-install checks complete. Beginning installation. * RHN Registration. ** Registration: System is already registered with RHN. Not re-registering. * Checking for uninstalled prerequisites. * Installing RHN packages. * Now running spacewalk-setup. * Setting up Selinux.. * Setting up Oracle environment. * Setting up database. ** Database: Setting up database connection for Oracle backend. Database service name (SID)? mySID.world Database hostname [localhost]? externalDB.machine.redhat.com Database (listener) port [1521]? 1522 Username? rhnuser Password? ** Database: Testing database connection. ** Database: Populating database. The Database has schema. Would you like to clear the database [Y]? Y ** Database: Clearing database. ** Database: Shutting down spacewalk services that may be using DB. ** Database: Services stopped. Clearing DB. ** Database: Re-populating database. *** Progress: # Could not populate database. # no errors in /var/log/rhn/rhn-installation.log # Selinux errors /var/log/audit/audit.log type=AVC msg=audit(1377868700.734:2052): avc: denied { name_connect } for pid=27748 comm="sqlplus" dest=1522 scontext=unconfined_u:unconfined_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1377868700.734:2053): avc: denied { dac_override } for pid=27748 comm="sqlplus" capability=1 scontext=unconfined_u:unconfined_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:oracle_sqlplus_t:s0-s0:c0.c1023 tclass=capability # SAT 5.4.1 ----------------------------------- * Starting the Red Hat Network Satellite installer. * Performing pre-install checks. * Pre-install checks complete. Beginning installation. * RHN Registration. ** Registration: System is already registered with RHN. Not re-registering. * Checking for uninstalled prerequisites. ** Checking if yum is available ... There are some packages from Red Hat Enterprise Linux that are not part of the @base group that Satellite will require to be installed on this system. The installer will try resolve the dependencies automatically. However, you may want to install these prerequisites manually. Do you want the installer to resolve dependencies [y/N]? y * Applying updates. * Installing RHN packages. Warning: yum did not install the following packages: compat-db compat-db42 compat-db43 * Now running spacewalk-setup. * Setting up Oracle environment. * Setting up database. ** Database: Setting up database connection for Oracle backend. DB User? rhnuser DB Password? DB SID? mySID DB hostname? externalDB.machine.redhat.com DB port [1521]? 1522 DB protocol [TCP]? ** Database: Testing database connection. ** Database: Populating database. *** Progress: # * Setting up users and groups. ** GPG: Initializing GPG and importing key. * Performing initial configuration. * Activating RHN Satellite. Where is your satellite certificate file? /root/redhat-satellite.cert ** Loading RHN Satellite Certificate. ** Verifying certificate locally. ** Activating RHN Satellite. There was a problem activating the satellite: Local activation failure. /var/log/rhn/rhn-installation.log ERROR: RHN Entitlement Certificate failed to validate: Exception reported from hp-sl2x170zg6-02.rhts.eng.bos.redhat.com Time: Fri Aug 30 09:27:25 2013 Exception type <class 'server.rhnSQL.sql_base.SQLStatementPrepareError'> Exception Handler Information Traceback (most recent call last): File "/usr/share/rhn/satellite_tools/rhn_satellite_activate.py", line 206, in activateSatellite_local satCerts.storeRhnCert(cert, check_generation=1, check_version=not(options.ignore_version_mismatch)) File "/usr/share/rhn/satellite_tools/satCerts.py", line 233, in storeRhnCert create_first_org(owner=sc.owner) File "/usr/share/rhn/satellite_tools/satCerts.py", line 91, in create_first_org return get_org_id() File "/usr/share/rhn/satellite_tools/satCerts.py", line 81, in get_org_id rows = get_all_orgs() File "/usr/share/rhn/satellite_tools/satCerts.py", line 65, in get_all_orgs h.execute() File "/usr/share/rhn/server/rhnSQL/sql_base.py", line 168, in execute return apply(self._execute_wrapper, (self._execute, ) + p, kw) File "/usr/share/rhn/server/rhnSQL/driver_cx_Oracle.py", line 107, in _execute_wrapper raise apply(sql_base.SQLStatementPrepareError, args) SQLStatementPrepareError: ('ORA-00942: table or view does not exist\n', 942, 'SELECT id FROM web_customer') # Selinux errors /var/log/audit/audit.log type=AVC msg=audit(1377868700.734:2052): avc: denied { name_connect } for pid=27748 comm="sqlplus" dest=1522 scontext=unconfined_u:unconfined_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1377868700.734:2053): avc: denied { dac_override } for pid=27748 comm="sqlplus" capability=1 scontext=unconfined_u:unconfined_r:oracle_sqlplus_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:oracle_sqlplus_t:s0-s0:c0.c1023 tclass=capability 4. we can try sqlplus > su - oracle > sqlplus rhnuser/password@//externalDB.machine.redhat.com:1522/mySID.world SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 30 09:41:09 2013 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. ERROR: ORA-12546: TNS:permission denied # same AVC errors in /var/log/audit/audit.log as in installation Actual results: installation fail Expected results: installation does not fail Additional info: I will investigate, if this bug is in older RHEL6 and external PostgreSQL.
This problem is only with non-standard ports.
Martin, can you comment, what was the reason to close this bug?
After some time I revisited of this bug and I changed my mind, because a SeLinux restriction on non-standard port is not a bug, it's feature. Maybe only one thing should be fixed, the message "Could not populate database." is a little too general, something as "Problem with connection to DB" would be better.