Description of problem: After installation of Sat 530 ISO, httpd will not run due to an selinux denial. Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090501.1-i386-embedded-oracle.iso How reproducible: Suspect 100%. Steps to Reproduce: 1. Install Satellite. Actual results: Error about tomcat not being running, in fact it's httpd that's not running with this error in error_log: [Fri May 01 17:28:07 2009] [error] (13)Permission denied: mod_rewrite: could not start RewriteMap program /etc/rhn/satellite-httpd/conf/satidmap.pl Expected results: httpd runs. :) Additional info: Verified quickly that this is selinux related by doing setenforce 0, service httpd restart (comes up fine). Error does also appear in audit.log when enforcing.
What is the error in audit.log? I wonder if the whole SELinux setup is broken because of bug 498685 -- the SELinux modules were not loaded properly at all?
From audit.log: type=AVC msg=audit(1241380980.842:257): avc: denied { execute } for pid=14495 comm="httpd" name="satidmap.pl" dev=hda3 ino=7032978 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1241380980.842:257): arch=40000003 syscall=33 success=no exit=-13 a0=8a56018 a1=5 a2=73e1e8 a3=8a9ae30 items=0 ppid=1 pid=14495 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) Think it's related to the bad selinux rpm versions?
(In reply to comment #2) > > Think it's related to the bad selinux rpm versions? Yes. The correct type is # ls -laZ /etc/rhn/satellite-httpd/conf/satidmap.pl -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t /etc/rhn/satellite-httpd/conf/satidmap.pl The issue will be fixed once we have new ISO with new oracle-nofcontext-selinux. That is tracked in bug 498685. We can probably make it a dupe of that one. Or keep it open to go throught the whole QA process. Alternatively you can retest and confirm that the problem is gone once the new ISO is out.
Package oracle-nofcontext-selinux-0.1-23.8.1.el5sat.noarch.rpm with the fix is on the Satellite-5.3.0-RHEL5-re20090507.1 ISO, moving ON_QA.
verified 5/7.1 build
Still valid in Spacewalk with oracle-nofcontext-selinux-0.1-23.9.el5.noarch. Best Regards Marcus
Verified in stage -> RELEASE_PENDING
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html