[Spacewalk-list] Spacewalk-list Digest, Vol 116, Issue 5

Paul-Andre Panon paul-andre.panon at avigilon.com
Fri Jan 5 00:56:15 UTC 2018 

On Wed, 3 Jan 2018 13:29:04, Michael Mraka <michael.mraka at redhat.com> wrote:
>Olli Rajala:
>> Hi,
>> We had working PAM authentication in our Spacewalk 2.6 running on 
>> CentOS 7.4.1708, and it was updated + rebooted today. After some 
>> update during autumn PAM authentication stopped working. Unfortunately 
>> I can't be more specific. I know when it worked (24.7.2017), but not when it stopped.
>> Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just 
>> fine, so this is related to CentOS 7.
>> 
>> The issue is the same as described in this post:
>> https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007
>> .html
>> 
>> Raw Audit Messages
>> type=AVC msg=audit(1514881078.526:6091): avc:  denied  { create } for
>> pid=1037 comm="java" scontext=system_u:system_r:tomcat_t:s0
>> tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
>> 
>> SELinux is preventing
>> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/j
>> ava from getattr access on the direry /var/log/rhn.
>> 
>> $ rpm -qa | grep spacewalk-selinux
>> spacewalk-selinux-2.3.2-1.el7.noarch
>> 
>> Any ideas? Disabling SELinux is not a possibility.
>
>Hello Olli,
>
>This issue has been already fixed in Spacewalk 2.7 (together with number of other tomcat_t issues). Is there a specific reason why you are usingolder (and unsupported) version?
>
>> Luckily we can login with local accounts, but would prefer PAM 
>> authentication.
>> 
>> BR,
>> --
>> Olli Rajala
>> Finland
>
>Regards,
>
>--
>Michael Mr?ka
>System Management Engineering, Red Hat
>

Hi Michael,

I beg to differ. I upgraded to Spacewalk 2.7 at about the same time as the 7.4 updates came out and it took me a long time to figure out that the SELinux policies are what broke PAM. I didn't get them fixed until just before Christmas.
While upgrading to SW 2.7 fixed a lot of issues with the 7.4 policy, the PAM sssd module still had problems accessing the krb5.conf file, and tomcat had problems accessing pam. 
Here's the notes I wrote for our internal team on the steps I took to resolve the PAM authentication issue:

"So I've finally got Spacewalk AD authentication working again. My PAM configuration is fine.
 
The first clue was an SELinux error in /var/log/messages that sssd couldn't access krb5.conf:

Dec 21 17:28:44 dc1-lsw01 python: SELinux is preventing /usr/libexec/sssd/sssd_be from write access on the file /etc/krb5.conf.#012#012*****  Plugin catchall_labels (83.8 confidence) suggests   *******************#012#012If you want to allow sssd_be to have write access on the krb5.conf file#012Then you need to change the label on /etc/krb5.conf#012Do#012# semanage fcontext -a -t FILE_TYPE '/etc/krb5.conf'#012where FILE_TYPE is one of the following: abrt_var_cache_t, afs_cache_t, auth_cache_t, faillog_t, gkeyringd_tmp_t, initrc_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, puppet_tmp_t, security_t, selinux_login_config_t, sssd_public_t, sssd_var_lib_t, sssd_var_log_t, sssd_var_run_t, user_cron_spool_t, user_tmp_t.#012Then execute:#012restorecon -v '/etc/krb5.conf'#012#012#012*****  Plugin catchall (17.1 confidence) suggests   **************************#012#012If you believe that sssd_be should be allowed write access on the krb5.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sssd_be' --raw | audit2allow -M my-sssdbe#012# semodule -i my-sssdbe.pp#012

That led me to a post about CentOS 7.4 SELinux breaking a bunch of Spacewalk 2.6 stuff and not all of it fixed with Spacewalk 2.7. So I fixed that above error with the recommended ausearch/audit2allow command. Then I started seeing the following in /var/log/secure
Dec 21 17:58:16 dc1-lsw01 java: PAM audit_log_acct_message() failed: Permission denied
which led me to https://www.endpoint.com/blog/2013/11/20/selinux-fix-for-sudo-pam
and when I tried to turn off SELinux enforcement, authentication by PAM sssd started working.
 
So then I ran through the rest of the process in that latter blog entry, looked again in /var/log/messages, saw new SELinux errors about java (Spacewalk's Tomcat) and ran those through ausearch/audit2allow. And we're good to go again."

If you follow the endpoint blog link, you'll see that I was not the only person to find that not all SW 2.7 issues with the new SELinux policy have been resolved.

Paul-Andre Panon
Senior systems administrator

More information about the Spacewalk-list mailing list