[Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux

Wilkinson, Matthew MatthewWilkinson at alliantenergy.com
Tue Jan 2 16:34:44 UTC 2018 

I am also having this issue. Applying various SELinux fixes using sealert seems to be able to get it working again, but agree that it’s a band-aid and that the packages should be updated to allow proper PAM auth for Spacewalk with SELinux.

--Matthew Wilkinson

From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Olli Rajala
Sent: Tuesday, January 02, 2018 04:38
To: Aleksander Baranowski
Cc: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux

[This is an external email. Be cautious with links, attachments and responses.]
________________________________
Hi,
Didn't know about the yum history command, thanks for tip!

Below you can find the info I think is relevant.

I suppose that the following update done at 2017-09-27 broke the PAM auth: selinux-policy-3.13.1-102.el7_3.16.noarch -> 3.13.1-166.el7_4.4.noarch

After downgrading selinux-policy (+ other necessary dependencies) to the 3.13.1-102, PAM authentication started working again.

I've done previously custom selinux-policies as you described, but I think it's only a band aid. The proper way is to fix the selinux-policy -package. I suppose I should create a ticket about this to Redhat + CentOS bug reporting systems?

$ sudo yum history
Loaded plugins: fastestmirror, versionlock
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    41 |  <>               | 2017-12-11 09:36 | E, I, O, U     |   89 EE
    40 |  <>               | 2017-09-27 13:00 | E, I, O, U     |  322 EE



Update 40:
    Updated     selinux-policy-3.13.1-102.el7_3.16.noarch                     @updates
    Update                     3.13.1-166.el7_4.4.noarch                      @updates
    Updated     selinux-policy-targeted-3.13.1-102.el7_3.16.noarch            @updates
    Update                              3.13.1-166.el7_4.4.noarch             @updates


Update 41:

    Updated    selinux-policy-3.13.1-166.el7_4.4.noarch                      @updates
    Update                    3.13.1-166.el7_4.7.noarch                      @updates
    Updated    selinux-policy-targeted-3.13.1-166.el7_4.4.noarch             @updates
    Update                             3.13.1-166.el7_4.7.noarch             @updates


Downgraded packages:

firewalld-0.4.3.2-8.el7.noarch.rpm
firewalld-filesystem-0.4.3.2-8.el7.noarch.rpm
python-firewall-0.4.3.2-8.el7.noarch.rpm
selinux-policy-3.13.1-102.el7_3.16.noarch.rpm
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch.rpm


-Olli

On Tue, Jan 2, 2018 at 11:55 AM, Aleksander Baranowski <ab at euro-linux.com<mailto:ab at euro-linux.com>> wrote:

Hi,

I believe that it would be easier if you attach update log. You can use `yum history` for that purpose.

First solution:
  This is lucky guess, but selinux-policy* was probably updated, you can always try downgrading.

Second solution:
  Note that below solution is quite bruteforce :)
  Install setroubleshoot-server.

  sealert -a /var/log/audit/audit.log would give you recipe for new SELinux policy.

  As said before - it's not the best solution (you will probably need repeat sealert)

I know that both of them are much more like hot patching instead of resolving root cause, but this is what comes to my mind.

Bests,
Alex
On 01/02/2018 10:40 AM, Olli Rajala wrote:
Hi,
We had working PAM authentication in our Spacewalk 2.6 running on CentOS 7.4.1708, and it was updated + rebooted today. After some update during autumn PAM authentication stopped working. Unfortunately I can't be more specific. I know when it worked (24.7.2017), but not when it stopped. Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just fine, so this is related to CentOS 7.

The issue is the same as described in this post: https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007.html

Raw Audit Messages
type=AVC msg=audit(1514881078.526:6091): avc:  denied  { create } for  pid=1037 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket

SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/java from getattr access on the direry /var/log/rhn.

$ rpm -qa | grep spacewalk-selinux
spacewalk-selinux-2.3.2-1.el7.noarch
Any ideas? Disabling SELinux is not a possibility.
Luckily we can login with local accounts, but would prefer PAM authentication.
BR,
--
Olli Rajala
Finland


_______________________________________________

Spacewalk-list mailing list

Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>

https://www.redhat.com/mailman/listinfo/spacewalk-list
--
Aleksander Baranowski
System Engineer / DevOps



--
Olli Rajala
Ravoltek
Vaasa, Finland
http://www.ravoltek.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ravoltek.net&d=DwMFaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=zxSMv3Yyn0u8GiLjBm805qsHQ-PQnlWklaJFaNwJsRdou0Rx32Ld6bt57-Tq1kdA&m=j9iSrd6bQ7Au5HqHDMvj40NeDoujqt0mtlIOQZAaxqg&s=NbXDJFySkJiZRoCl4Zy6bncOYQbX76BvpeD8OvaBcNw&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180102/18f4e5f3/attachment.htm>

More information about the Spacewalk-list mailing list