Bug 498686 - SELinux Preventing httpd From Starting: mod_rewrite / satidmap.pl Issue
SELinux Preventing httpd From Starting: mod_rewrite / satidmap.pl Issue
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
:
Depends On: 498685
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-05-01 17:49 EDT by Devan Goodwin
Modified: 2009-09-10 15:12 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Devan Goodwin 2009-05-01 17:49:29 EDT
Description of problem:

After installation of Sat 530 ISO, httpd will not run due to an selinux denial.

Version-Release number of selected component (if applicable):

Satellite-5.3.0-RHEL5-re20090501.1-i386-embedded-oracle.iso

How reproducible:

Suspect 100%.

Steps to Reproduce:
1. Install Satellite.
  
Actual results:

Error about tomcat not being running, in fact it's httpd that's not running with this error in error_log:

[Fri May 01 17:28:07 2009] [error] (13)Permission denied: mod_rewrite: could not start RewriteMap program /etc/rhn/satellite-httpd/conf/satidmap.pl


Expected results:

httpd runs. :)


Additional info:

Verified quickly that this is selinux related by doing setenforce 0, service httpd restart (comes up fine). Error does also appear in audit.log when enforcing.
Comment 1 Jan Pazdziora 2009-05-04 09:08:16 EDT
What is the error in audit.log?

I wonder if the whole SELinux setup is broken because of bug 498685 -- the SELinux modules were not loaded properly at all?
Comment 2 Devan Goodwin 2009-05-04 12:10:04 EDT
From audit.log:

type=AVC msg=audit(1241380980.842:257): avc:  denied  { execute } for  pid=14495 comm="httpd" name="satidmap.pl" dev=hda3 ino=7032978 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1241380980.842:257): arch=40000003 syscall=33 success=no exit=-13 a0=8a56018 a1=5 a2=73e1e8 a3=8a9ae30 items=0 ppid=1 pid=14495 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)

Think it's related to the bad selinux rpm versions?
Comment 3 Jan Pazdziora 2009-05-05 08:41:58 EDT
(In reply to comment #2)
> 
> Think it's related to the bad selinux rpm versions?  

Yes. The correct type is

# ls -laZ /etc/rhn/satellite-httpd/conf/satidmap.pl
-rwxr-xr-x  root root system_u:object_r:httpd_sys_script_exec_t /etc/rhn/satellite-httpd/conf/satidmap.pl

The issue will be fixed once we have new ISO with new oracle-nofcontext-selinux. That is tracked in bug 498685. We can probably make it a dupe of that one. Or keep it open to go throught the whole QA process. Alternatively you can retest and confirm that the problem is gone once the new ISO is out.
Comment 4 Jan Pazdziora 2009-05-11 07:55:30 EDT
Package oracle-nofcontext-selinux-0.1-23.8.1.el5sat.noarch.rpm with the fix is
on the Satellite-5.3.0-RHEL5-re20090507.1 ISO, moving ON_QA.
Comment 5 wes hayutin 2009-05-11 12:56:04 EDT
verified 5/7.1 build
Comment 6 Marcus Moeller 2009-07-21 08:22:12 EDT
Still valid in Spacewalk with oracle-nofcontext-selinux-0.1-23.9.el5.noarch.

Best Regards
Marcus
Comment 7 Milan Zázrivec 2009-09-02 07:50:17 EDT
Verified in stage -> RELEASE_PENDING
Comment 8 Brandon Perkins 2009-09-10 15:12:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.