<div dir="ltr"><div>Hi,</div><div>Didn't know about the yum history command, thanks for tip!</div><div><br></div><div>Below you can find the info I think is relevant. <br></div><div><br></div><div>I suppose that the following update done at 2017-09-27 broke the PAM auth: selinux-policy-3.13.1-102.el7_3.16.noarch -> 3.13.1-166.el7_4.4.noarch</div><div><br></div><div>After downgrading selinux-policy (+ other necessary dependencies) to the 3.13.1-102, PAM authentication started working again.</div><div><br></div><div>I've done previously custom selinux-policies as you described, but I think it's only a band aid. The proper way is to fix the selinux-policy -package. I suppose I should create a ticket about this to Redhat + CentOS bug reporting systems?<br></div><div><br></div><div>$ sudo yum history<br>Loaded plugins: fastestmirror, versionlock<br>ID | Login user | Date and time | Action(s) | Altered<br>-------------------------------------------------------------------------------<br> 41 | <> | 2017-12-11 09:36 | E, I, O, U | 89 EE<br> 40 | <> | 2017-09-27 13:00 | E, I, O, U | 322 EE<br></div><div><br></div><div><br></div><div><br></div>Update 40:<br> Updated selinux-policy-3.13.1-102.el7_3.16.noarch @updates<br><div> Update 3.13.1-166.el7_4.4.noarch @updates<br> Updated selinux-policy-targeted-3.13.1-102.el7_3.16.noarch @updates<br> Update 3.13.1-166.el7_4.4.noarch @updates</div><br><div><br></div><div>Update 41:</div><div><br></div><div> Updated selinux-policy-3.13.1-166.el7_4.4.noarch @updates<br> Update 3.13.1-166.el7_4.7.noarch @updates<br> Updated selinux-policy-targeted-3.13.1-166.el7_4.4.noarch @updates<br> Update 3.13.1-166.el7_4.7.noarch @updates</div><div><br></div><div><br></div><div>Downgraded packages:</div><div><br></div><div>firewalld-0.4.3.2-8.el7.noarch.rpm <br></div><div>firewalld-filesystem-0.4.3.2-8.el7.noarch.rpm <br>python-firewall-0.4.3.2-8.el7.noarch.rpm<br>selinux-policy-3.13.1-102.el7_3.16.noarch.rpm</div><div>selinux-policy-targeted-3.13.1-102.el7_3.16.noarch.rpm<br></div><div><br></div><br>-Olli<br><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 2, 2018 at 11:55 AM, Aleksander Baranowski <span dir="ltr"><<a href="mailto:ab@euro-linux.com" target="_blank">ab@euro-linux.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"> <p>Hi,<br> <br> I believe that it would be easier if you attach update log. You can use `yum history` for that purpose.<br> <br> First solution:<br> This is lucky guess, but selinux-policy* was probably updated, you can always try downgrading.<br> <br> Second solution:<br> Note that below solution is quite bruteforce :)<br> Install setroubleshoot-server.<br> <br> sealert -a /var/log/audit/audit.log would give you recipe for new SELinux policy.<br> <br> As said before - it's not the best solution (you will probably need repeat sealert)<br> <br> I know that both of them are much more like hot patching instead of resolving root cause, but this is what comes to my mind.<br> <br> Bests,<br> Alex<br> </p><div><div class="h5"> <div class="m_-4694986887820801712moz-cite-prefix">On 01/02/2018 10:40 AM, Olli Rajala wrote:<br> </div> </div></div><blockquote type="cite"><div><div class="h5"> <div dir="ltr"> <div> <div> <div>Hi,<br> We had working PAM authentication in our Spacewalk 2.6 running on CentOS 7.4.1708, and it was updated + rebooted today. After some update during autumn PAM authentication stopped working. Unfortunately I can't be more specific. I know when it worked (24.7.2017), but not when it stopped. Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just fine, so this is related to CentOS 7.<br> <br> The issue is the same as described in this post: <a href="https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007.html" target="_blank">https://www.redhat.com/<wbr>archives/spacewalk-list/2017-<wbr>September/msg00007.html</a><br> <br> Raw Audit Messages<br> type=AVC msg=audit(1514881078.526:6091)<wbr>: avc: denied { create } for pid=1037 comm="java" scontext=system_u:system_r:<wbr>tomcat_t:s0 tcontext=system_u:system_r:<wbr>tomcat_t:s0 tclass=netlink_audit_socket<br> <br> SELinux is preventing /usr/lib/jvm/java-1.8.0-<wbr>openjdk-1.8.0.144-0.b01.el7_4.<wbr>x86_64/jre/bin/java from getattr access on the direry /var/log/rhn.<br> <br clear="all"> $ rpm -qa | grep spacewalk-selinux<br> spacewalk-selinux-2.3.2-1.el7.<wbr>noarch<br> <br> </div> Any ideas? Disabling SELinux is not a possibility.<br> <br> </div> Luckily we can login with local accounts, but would prefer PAM authentication. <br> <br> </div> BR,<br> <div> <div> <div>-- <br> <div class="m_-4694986887820801712gmail_signature">Olli Rajala<br> </div> <div class="m_-4694986887820801712gmail_signature">Finland<br> </div> </div> </div> </div> </div> <br> <fieldset class="m_-4694986887820801712mimeAttachmentHeader"></fieldset> <br> </div></div><pre>______________________________<wbr>_________________ Spacewalk-list mailing list <a class="m_-4694986887820801712moz-txt-link-abbreviated" href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a> <a class="m_-4694986887820801712moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/spacewalk-<wbr>list</a></pre> </blockquote> --<br> Aleksander Baranowski<br> <span style="font-size:12px;font-weight:normal;color:#000000">System Engineer / DevOps</span> </div> </blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Olli Rajala<br>Ravoltek<br>Vaasa, Finland<br><a href="http://www.ravoltek.net" target="_blank">http://www.ravoltek.net</a></div> </div></div>