[Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux

Olli Rajala olli.rajala at gmail.com
Tue Jan 2 10:37:36 UTC 2018 

Hi,
Didn't know about the yum history command, thanks for tip!

Below you can find the info I think is relevant.

I suppose that the following update done at 2017-09-27 broke the PAM auth:
selinux-policy-3.13.1-102.el7_3.16.noarch -> 3.13.1-166.el7_4.4.noarch

After downgrading selinux-policy (+ other necessary dependencies) to the
3.13.1-102, PAM authentication started working again.

I've done previously custom selinux-policies as you described, but I think
it's only a band aid. The proper way is to fix the selinux-policy -package.
I suppose I should create a ticket about this to Redhat + CentOS bug
reporting systems?

$ sudo yum history
Loaded plugins: fastestmirror, versionlock
ID     | Login user               | Date and time    | Action(s)      |
Altered
-------------------------------------------------------------------------------
    41 |  <>               | 2017-12-11 09:36 | E, I, O, U     |   89 EE
    40 |  <>               | 2017-09-27 13:00 | E, I, O, U     |  322 EE



Update 40:
    Updated
selinux-policy-3.13.1-102.el7_3.16.noarch                     @updates
    Update
3.13.1-166.el7_4.4.noarch                      @updates
    Updated
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch            @updates
    Update
3.13.1-166.el7_4.4.noarch             @updates


Update 41:

    Updated
selinux-policy-3.13.1-166.el7_4.4.noarch                      @updates
    Update
3.13.1-166.el7_4.7.noarch                      @updates
    Updated
selinux-policy-targeted-3.13.1-166.el7_4.4.noarch             @updates
    Update
3.13.1-166.el7_4.7.noarch             @updates


Downgraded packages:

firewalld-0.4.3.2-8.el7.noarch.rpm
firewalld-filesystem-0.4.3.2-8.el7.noarch.rpm
python-firewall-0.4.3.2-8.el7.noarch.rpm
selinux-policy-3.13.1-102.el7_3.16.noarch.rpm
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch.rpm


-Olli


On Tue, Jan 2, 2018 at 11:55 AM, Aleksander Baranowski <ab at euro-linux.com>
wrote:

> Hi,
>
> I believe that it would be easier if you attach update log. You can use
> `yum history` for that purpose.
>
> First solution:
>   This is lucky guess, but selinux-policy* was probably updated, you can
> always try downgrading.
>
> Second solution:
>   Note that below solution is quite bruteforce :)
>   Install setroubleshoot-server.
>
>   sealert -a /var/log/audit/audit.log would give you recipe for new
> SELinux policy.
>
>   As said before - it's not the best solution (you will probably need
> repeat sealert)
>
> I know that both of them are much more like hot patching instead of
> resolving root cause, but this is what comes to my mind.
>
> Bests,
> Alex
> On 01/02/2018 10:40 AM, Olli Rajala wrote:
>
> Hi,
> We had working PAM authentication in our Spacewalk 2.6 running on CentOS
> 7.4.1708, and it was updated + rebooted today. After some update during
> autumn PAM authentication stopped working. Unfortunately I can't be more
> specific. I know when it worked (24.7.2017), but not when it stopped.
> Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just fine, so
> this is related to CentOS 7.
>
> The issue is the same as described in this post: https://www.redhat.com/
> archives/spacewalk-list/2017-September/msg00007.html
>
> Raw Audit Messages
> type=AVC msg=audit(1514881078.526:6091): avc:  denied  { create } for
> pid=1037 comm="java" scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
>
> SELinux is preventing /usr/lib/jvm/java-1.8.0-
> openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/java from getattr access on
> the direry /var/log/rhn.
>
> $ rpm -qa | grep spacewalk-selinux
> spacewalk-selinux-2.3.2-1.el7.noarch
>
> Any ideas? Disabling SELinux is not a possibility.
>
> Luckily we can login with local accounts, but would prefer PAM
> authentication.
>
> BR,
> --
> Olli Rajala
> Finland
>
>
> _______________________________________________
> Spacewalk-list mailing listSpacewalk-list at redhat.comhttps://www.redhat.com/mailman/listinfo/spacewalk-list
>
> --
> Aleksander Baranowski
> System Engineer / DevOps
>



-- 
Olli Rajala
Ravoltek
Vaasa, Finland
http://www.ravoltek.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180102/89a3a676/attachment.htm>

More information about the Spacewalk-list mailing list