[Spacewalk-list] Proxy 1.1 selinux issue

Brian_Kosick at McAfee.com Brian_Kosick at McAfee.com
Tue Nov 2 22:23:59 UTC 2010 

Hi All,

I just updated our proxy from 1.0 to 1.1 on a RHEL5.5-i386 box.    I keep getting the following error on the client.

rhnreg_ks --serverUrl=https://sp.server.com/XMLRPC --activationkey=XXXXXXXXXXXXX --force
An error has occurred:

Error Message:
    RHN Proxy error (auth caching issue). Please contact your system administrator.
Error Class Code: 1000
Error Class Info: RHN Proxy error.
Explanation: 
     An error has occurred while processing your request. If this problem
     persists please enter a bug report at bugzilla.redhat.com.
     If you choose to submit the bug report, please be sure to include
     details of what you were trying to do when this error occurred and
     details on how to reproduce this problem.

See /var/log/up2date for more information

I tracked it down and found matching entries in the audit log on the proxy server
spacewalk-backend-1.1.51-1.el5
spacewalk-backend-libs-1.1.51-1.el5
spacewalk-certs-tools-1.1.1-1.el5
spacewalk-proxy-broker-1.1.4-1.el5
spacewalk-proxy-common-1.1.4-1.el5
spacewalk-proxy-docs-1.1.1-1.el5
spacewalk-proxy-html-1.1.1-1.el5
spacewalk-proxy-installer-1.1.2-1.el5
spacewalk-proxy-management-1.1.4-1.el5
spacewalk-proxy-package-manager-1.1.4-1.el5
spacewalk-proxy-redirect-1.1.4-1.el5
spacewalk-proxy-selinux-1.1.1-1.el5
spacewalk-repo-1.1-3.el5
spacewalk-setup-jabberd-1.1.1-1.el5
spacewalk-ssl-cert-check-2.0-1.el5

type=AVC msg=audit(1288733927.462:170): avc:  denied  { write } for  pid=4396 comm="httpd" name="rhn" dev=sda5 ino=1409027 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1288733927.462:170): arch=40000003 syscall=39 success=no exit=-13 a0=8d46a40 a1=1ed a2=10db8e4 a3=8dc87ac items=0 ppid=3957 pid=4396 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)

I tried the selinux troubleshooting tips, and followed the inode to /var/cache/rhn and ran

restorecon -rvv /var/cache/rhn

restorecon reset /var/cache/rhn/proxy-auth context root:object_r:var_t:s0->system_u:object_r:spacewalk_proxy_cache_t:s0
restorecon reset /var/cache/rhn/proxy-auth/1000010278 context root:object_r:var_t:s0->system_u:object_r:spacewalk_proxy_cache_t:s0
restorecon reset /var/cache/rhn/proxy-auth/p1000010078 context root:object_r:var_t:s0->system_u:object_r:spacewalk_proxy_cache_t:s0

The only thing that helped was setting selinux to permissive.

Thanks,
Brian

More information about the Spacewalk-list mailing list