<div dir="ltr"><div>Hi,</div><div>Didn't know about the yum history command, thanks for tip!</div><div><br></div><div>Below you can find the info I think is relevant. <br></div><div><br></div><div>I suppose that the following update done at 2017-09-27 broke the PAM auth: selinux-policy-3.13.1-102.el7_3.16.noarch -> 3.13.1-166.el7_4.4.noarch</div><div><br></div><div>After downgrading selinux-policy (+ other necessary dependencies) to the 3.13.1-102, PAM authentication started working again.</div><div><br></div><div>I've done previously custom selinux-policies as you described, but I think it's only a band aid. The proper way is to fix the selinux-policy -package. I suppose I should create a ticket about this to Redhat + CentOS bug reporting systems?<br></div><div><br></div><div>$ sudo yum history<br>Loaded plugins: fastestmirror, versionlock<br>ID | Login user | Date and time | Action(s) | Altered<br>-------------------------------------------------------------------------------<br> 41 | <> | 2017-12-11 09:36 | E, I, O, U | 89 EE<br> 40 | <> | 2017-09-27 13:00 | E, I, O, U | 322 EE<br></div><div><br></div><div><br></div><div><br></div>Update 40:<br> Updated selinux-policy-3.13.1-102.el7_3.16.noarch @updates<br><div> Update 3.13.1-166.el7_4.4.noarch @updates<br> Updated selinux-policy-targeted-3.13.1-102.el7_3.16.noarch @updates<br> Update 3.13.1-166.el7_4.4.noarch @updates</div><br><div><br></div><div>Update 41:</div><div><br></div><div> Updated selinux-policy-3.13.1-166.el7_4.4.noarch @updates<br> Update 3.13.1-166.el7_4.7.noarch @updates<br> Updated selinux-policy-targeted-3.13.1-166.el7_4.4.noarch @updates<br> Update 3.13.1-166.el7_4.7.noarch @updates</div><div><br></div><div><br></div><div>Downgraded packages:</div><div><br></div><div>firewalld-0.4.3.2-8.el7.noarch.rpm <br></div><div>firewalld-filesystem-0.4.3.2-8.el7.noarch.rpm <br>python-firewall-0.4.3.2-8.el7.noarch.rpm<br>selinux-policy-3.13.1-102.el7_3.16.noarch.rpm</div><div>selinux-policy-targeted-3.13.1-102.el7_3.16.noarch.rpm<br></div><div><br></div><br>-Olli<br><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 2, 2018 at 11:55 AM, Aleksander Baranowski <span dir="ltr"><<a href="mailto:ab@euro-linux.com" target="_blank">ab@euro-linux.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,<br>
<br>
I believe that it would be easier if you attach update log. You
can use `yum history` for that purpose.<br>
<br>
First solution:<br>
This is lucky guess, but selinux-policy* was probably updated,
you can always try downgrading.<br>
<br>
Second solution:<br>
Note that below solution is quite bruteforce :)<br>
Install setroubleshoot-server.<br>
<br>
sealert -a /var/log/audit/audit.log would give you recipe for
new SELinux policy.<br>
<br>
As said before - it's not the best solution (you will probably
need repeat sealert)<br>
<br>
I know that both of them are much more like hot patching instead
of resolving root cause, but this is what comes to my mind.<br>
<br>
Bests,<br>
Alex<br>
</p><div><div class="h5">
<div class="m_-4694986887820801712moz-cite-prefix">On 01/02/2018 10:40 AM, Olli Rajala
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>
<div>Hi,<br>
We had working PAM authentication in our Spacewalk 2.6
running on CentOS 7.4.1708, and it was updated + rebooted
today. After some update during autumn PAM authentication
stopped working. Unfortunately I can't be more specific. I
know when it worked (24.7.2017), but not when it stopped.
Another instance of Spacewalk 2.6 on CentOS 6.9 seems to
work just fine, so this is related to CentOS 7.<br>
<br>
The issue is the same as described in this post: <a href="https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007.html" target="_blank">https://www.redhat.com/<wbr>archives/spacewalk-list/2017-<wbr>September/msg00007.html</a><br>
<br>
Raw Audit Messages<br>
type=AVC msg=audit(1514881078.526:6091)<wbr>: avc: denied {
create } for pid=1037 comm="java"
scontext=system_u:system_r:<wbr>tomcat_t:s0
tcontext=system_u:system_r:<wbr>tomcat_t:s0
tclass=netlink_audit_socket<br>
<br>
SELinux is preventing
/usr/lib/jvm/java-1.8.0-<wbr>openjdk-1.8.0.144-0.b01.el7_4.<wbr>x86_64/jre/bin/java
from getattr access on the direry /var/log/rhn.<br>
<br clear="all">
$ rpm -qa | grep spacewalk-selinux<br>
spacewalk-selinux-2.3.2-1.el7.<wbr>noarch<br>
<br>
</div>
Any ideas? Disabling SELinux is not a possibility.<br>
<br>
</div>
Luckily we can login with local accounts, but would prefer PAM
authentication. <br>
<br>
</div>
BR,<br>
<div>
<div>
<div>-- <br>
<div class="m_-4694986887820801712gmail_signature">Olli Rajala<br>
</div>
<div class="m_-4694986887820801712gmail_signature">Finland<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_-4694986887820801712mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
Spacewalk-list mailing list
<a class="m_-4694986887820801712moz-txt-link-abbreviated" href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a>
<a class="m_-4694986887820801712moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/spacewalk-<wbr>list</a></pre>
</blockquote>
--<br>
Aleksander Baranowski<br>
<span style="font-size:12px;font-weight:normal;color:#000000">System
Engineer / DevOps</span>
</div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Olli Rajala<br>Ravoltek<br>Vaasa, Finland<br><a href="http://www.ravoltek.net" target="_blank">http://www.ravoltek.net</a></div>
</div></div>