[Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux
Wilkinson, Matthew
MatthewWilkinson at alliantenergy.com
Tue Jan 2 16:34:44 UTC 2018
I am also having this issue. Applying various SELinux fixes using sealert seems to be able to get it working again, but agree that it’s a band-aid and that the packages should be updated to allow proper PAM auth for Spacewalk with SELinux.
--Matthew Wilkinson
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Olli Rajala
Sent: Tuesday, January 02, 2018 04:38
To: Aleksander Baranowski
Cc: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux
[This is an external email. Be cautious with links, attachments and responses.]
________________________________
Hi,
Didn't know about the yum history command, thanks for tip!
Below you can find the info I think is relevant.
I suppose that the following update done at 2017-09-27 broke the PAM auth: selinux-policy-3.13.1-102.el7_3.16.noarch -> 3.13.1-166.el7_4.4.noarch
After downgrading selinux-policy (+ other necessary dependencies) to the 3.13.1-102, PAM authentication started working again.
I've done previously custom selinux-policies as you described, but I think it's only a band aid. The proper way is to fix the selinux-policy -package. I suppose I should create a ticket about this to Redhat + CentOS bug reporting systems?
$ sudo yum history
Loaded plugins: fastestmirror, versionlock
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
41 | <> | 2017-12-11 09:36 | E, I, O, U | 89 EE
40 | <> | 2017-09-27 13:00 | E, I, O, U | 322 EE
Update 40:
Updated selinux-policy-3.13.1-102.el7_3.16.noarch @updates
Update 3.13.1-166.el7_4.4.noarch @updates
Updated selinux-policy-targeted-3.13.1-102.el7_3.16.noarch @updates
Update 3.13.1-166.el7_4.4.noarch @updates
Update 41:
Updated selinux-policy-3.13.1-166.el7_4.4.noarch @updates
Update 3.13.1-166.el7_4.7.noarch @updates
Updated selinux-policy-targeted-3.13.1-166.el7_4.4.noarch @updates
Update 3.13.1-166.el7_4.7.noarch @updates
Downgraded packages:
firewalld-0.4.3.2-8.el7.noarch.rpm
firewalld-filesystem-0.4.3.2-8.el7.noarch.rpm
python-firewall-0.4.3.2-8.el7.noarch.rpm
selinux-policy-3.13.1-102.el7_3.16.noarch.rpm
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch.rpm
-Olli
On Tue, Jan 2, 2018 at 11:55 AM, Aleksander Baranowski <ab at euro-linux.com<mailto:ab at euro-linux.com>> wrote:
Hi,
I believe that it would be easier if you attach update log. You can use `yum history` for that purpose.
First solution:
This is lucky guess, but selinux-policy* was probably updated, you can always try downgrading.
Second solution:
Note that below solution is quite bruteforce :)
Install setroubleshoot-server.
sealert -a /var/log/audit/audit.log would give you recipe for new SELinux policy.
As said before - it's not the best solution (you will probably need repeat sealert)
I know that both of them are much more like hot patching instead of resolving root cause, but this is what comes to my mind.
Bests,
Alex
On 01/02/2018 10:40 AM, Olli Rajala wrote:
Hi,
We had working PAM authentication in our Spacewalk 2.6 running on CentOS 7.4.1708, and it was updated + rebooted today. After some update during autumn PAM authentication stopped working. Unfortunately I can't be more specific. I know when it worked (24.7.2017), but not when it stopped. Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just fine, so this is related to CentOS 7.
The issue is the same as described in this post: https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007.html
Raw Audit Messages
type=AVC msg=audit(1514881078.526:6091): avc: denied { create } for pid=1037 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/java from getattr access on the direry /var/log/rhn.
$ rpm -qa | grep spacewalk-selinux
spacewalk-selinux-2.3.2-1.el7.noarch
Any ideas? Disabling SELinux is not a possibility.
Luckily we can login with local accounts, but would prefer PAM authentication.
BR,
--
Olli Rajala
Finland
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
--
Aleksander Baranowski
System Engineer / DevOps
--
Olli Rajala
Ravoltek
Vaasa, Finland
http://www.ravoltek.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ravoltek.net&d=DwMFaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=zxSMv3Yyn0u8GiLjBm805qsHQ-PQnlWklaJFaNwJsRdou0Rx32Ld6bt57-Tq1kdA&m=j9iSrd6bQ7Au5HqHDMvj40NeDoujqt0mtlIOQZAaxqg&s=NbXDJFySkJiZRoCl4Zy6bncOYQbX76BvpeD8OvaBcNw&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180102/18f4e5f3/attachment.htm>
More information about the Spacewalk-list
mailing list