<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Lucida Console";
panose-1:2 11 6 9 4 5 4 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Lucida Console";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console";color:#1F497D">I am also having this issue. Applying various SELinux fixes using sealert seems to be able to get it working again, but agree that it’s a band-aid and that the packages
should be updated to allow proper PAM auth for Spacewalk with SELinux. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console";color:#1F497D">--Matthew Wilkinson<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> spacewalk-list-bounces@redhat.com [mailto:spacewalk-list-bounces@redhat.com]
<b>On Behalf Of </b>Olli Rajala<br>
<b>Sent:</b> Tuesday, January 02, 2018 04:38<br>
<b>To:</b> Aleksander Baranowski<br>
<b>Cc:</b> spacewalk-list@redhat.com<br>
<b>Subject:</b> Re: [Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[This is an external email. Be cautious with links, attachments and responses.]<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<div>
<div>
<p class="MsoNormal">Hi,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Didn't know about the yum history command, thanks for tip!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Below you can find the info I think is relevant. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I suppose that the following update done at 2017-09-27 broke the PAM auth: selinux-policy-3.13.1-102.el7_3.16.noarch -> 3.13.1-166.el7_4.4.noarch<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">After downgrading selinux-policy (+ other necessary dependencies) to the 3.13.1-102, PAM authentication started working again.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I've done previously custom selinux-policies as you described, but I think it's only a band aid. The proper way is to fix the selinux-policy -package. I suppose I should create a ticket about this to Redhat + CentOS bug reporting systems?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">$ sudo yum history<br>
Loaded plugins: fastestmirror, versionlock<br>
ID | Login user | Date and time | Action(s) | Altered<br>
-------------------------------------------------------------------------------<br>
41 | <> | 2017-12-11 09:36 | E, I, O, U | 89 EE<br>
40 | <> | 2017-09-27 13:00 | E, I, O, U | 322 EE<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Update 40:<br>
Updated selinux-policy-3.13.1-102.el7_3.16.noarch @updates<o:p></o:p></p>
<div>
<p class="MsoNormal"> Update 3.13.1-166.el7_4.4.noarch @updates<br>
Updated selinux-policy-targeted-3.13.1-102.el7_3.16.noarch @updates<br>
Update 3.13.1-166.el7_4.4.noarch @updates<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Update 41:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> Updated selinux-policy-3.13.1-166.el7_4.4.noarch @updates<br>
Update 3.13.1-166.el7_4.7.noarch @updates<br>
Updated selinux-policy-targeted-3.13.1-166.el7_4.4.noarch @updates<br>
Update 3.13.1-166.el7_4.7.noarch @updates<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Downgraded packages:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">firewalld-0.4.3.2-8.el7.noarch.rpm <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">firewalld-filesystem-0.4.3.2-8.el7.noarch.rpm <br>
python-firewall-0.4.3.2-8.el7.noarch.rpm<br>
selinux-policy-3.13.1-102.el7_3.16.noarch.rpm<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">selinux-policy-targeted-3.13.1-102.el7_3.16.noarch.rpm<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
-Olli<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Jan 2, 2018 at 11:55 AM, Aleksander Baranowski <<a href="mailto:ab@euro-linux.com" target="_blank">ab@euro-linux.com</a>> wrote:<o:p></o:p></p>
<div>
<p>Hi,<br>
<br>
I believe that it would be easier if you attach update log. You can use `yum history` for that purpose.<br>
<br>
First solution:<br>
This is lucky guess, but selinux-policy* was probably updated, you can always try downgrading.<br>
<br>
Second solution:<br>
Note that below solution is quite bruteforce :)<br>
Install setroubleshoot-server.<br>
<br>
sealert -a /var/log/audit/audit.log would give you recipe for new SELinux policy.<br>
<br>
As said before - it's not the best solution (you will probably need repeat sealert)<br>
<br>
I know that both of them are much more like hot patching instead of resolving root cause, but this is what comes to my mind.<br>
<br>
Bests,<br>
Alex<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On 01/02/2018 10:40 AM, Olli Rajala wrote:<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br>
We had working PAM authentication in our Spacewalk 2.6 running on CentOS 7.4.1708, and it was updated + rebooted today. After some update during autumn PAM authentication stopped working. Unfortunately I can't be more specific. I know when it worked (24.7.2017),
but not when it stopped. Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just fine, so this is related to CentOS 7.<br>
<br>
The issue is the same as described in this post: <a href="https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007.html" target="_blank">
https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007.html</a><br>
<br>
Raw Audit Messages<br>
type=AVC msg=audit(1514881078.526:6091): avc: denied { create } for pid=1037 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket<br>
<br>
SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/java from getattr access on the direry /var/log/rhn.<br>
<br clear="all">
$ rpm -qa | grep spacewalk-selinux<br>
spacewalk-selinux-2.3.2-1.el7.noarch<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Any ideas? Disabling SELinux is not a possibility.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Luckily we can login with local accounts, but would prefer PAM authentication.
<o:p></o:p></p>
</div>
<p class="MsoNormal">BR,<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal">Olli Rajala<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Finland<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Spacewalk-list mailing list<o:p></o:p></pre>
<pre><a href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a><o:p></o:p></pre>
<pre><a href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/mailman/listinfo/spacewalk-list</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal">--<br>
Aleksander Baranowski<br>
<span style="font-size:9.0pt;color:black">System Engineer / DevOps</span> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <o:p></o:p></p>
<div>
<p class="MsoNormal">Olli Rajala<br>
Ravoltek<br>
Vaasa, Finland<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ravoltek.net&d=DwMFaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=zxSMv3Yyn0u8GiLjBm805qsHQ-PQnlWklaJFaNwJsRdou0Rx32Ld6bt57-Tq1kdA&m=j9iSrd6bQ7Au5HqHDMvj40NeDoujqt0mtlIOQZAaxqg&s=NbXDJFySkJiZRoCl4Zy6bncOYQbX76BvpeD8OvaBcNw&e=" target="_blank">http://www.ravoltek.net</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>