[Spacewalk-list] Clients cannot connect to Spacewalk

Wilkinson, Matthew MatthewWilkinson at alliantenergy.com
Mon Mar 5 18:50:42 UTC 2018 

I've noticed this behavior on a few of our Spacewalk clients recently. I've applied the latest Spacewalk server and client patches and that doesn't seem to help. I've also turned SELinux on and off and that doesn't seem to help, even though there are some SELinux messages being written to the logs.

I'm running Spacewalk 2.7 and clients with the 2.7 client packages running OL 7. The only solution I've found thus far is to remove the RHN client packages and then reinstall/re-register which works flawlessly.


When a client is malfunctioning, again inexplicably, it throws this error in the server rhn_server_xmlrpc log:

2018/03/05 11:56:34 -05:00 12089 <IP address omitted>: rhnServer/server_certificate.certificate('ERROR', "Could not marshall certificate for {'username': None, 'operating_system': 'redhat
-release-server', 'description': 'Initial Registration Parameters:\\nOS: redhat-release-server\\nRelease: 7Server\\nCPU Arch: x86_64', 'checksum': <omitted>', 'profile_name': '<omitted>.domain.com', 'system_id': '<omitted>', 'architecture': 'x86_64-redhat-linux', 'os_release': '7.4', 'fie
lds': ['system_id', 'os_release', 'operating_system', 'architecture', 'type'], 'type': 'REAL'}")

This error on the client:

# yum repolist
Loaded plugins: changelog, rhnplugin, verify
There was an error communicating with RHN.
Red Hat Satellite or RHN Classic support will be disabled.
rhn-plugin: Error communicating with server. The message was:
While running 'registration.upgrade_version': caught
<type 'exceptions.TypeError'> : ('cannot marshal None unless allow_none is enabled', {'username': None, 'operating_system': 'redhat-release-server', 'description': 'Initial Regist
ration Parameters:\nOS: redhat-release-server\nRelease: 7Server\nCPU Arch: x86_64', 'checksum': '<omitted>', 'profile_name':
<omitted>.domain.com', 'system_id': '<omitted>', 'architecture': 'x86_64-redhat-linux', 'os_release': '7.4', 'fields': ['system_id', 'os_release', 'operating_system
', 'architecture', 'type'], 'type': 'REAL'})

repolist: 0


And I saw some SELinux messages, but again, fixing these or setting SELinux to permissive didn't help:

# sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python2.7 from write access on the directory /usr/lib/python2.7/site-packages/spacewalk/common.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed write access on the common directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'osad' --raw | audit2allow -M my-osad
# semodule -i my-osad.pp


Additional Information:
Source Context                system_u:system_r:osad_t:s0
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/python2.7/site-packages/spacewalk/common
                             [ dir ]
Source                        osad
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-58.0.1.el7.x86_64
Target RPM Packages           spacewalk-usix-2.7.8-1.el7.noarch
Policy RPM                    selinux-policy-3.13.1-166.0.3.el7_4.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <omitted>.domain.com
Platform                      Linux <omitted>.domain.com
                             3.10.0-693.11.6.el7.x86_64 #1 SMP Wed Jan 3
                             18:59:47 PST 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-03-05 11:44:53 CST
Last Seen                     2018-03-05 11:44:53 CST
Local ID                      <omitted>

Raw Audit Messages
type=AVC msg=audit(1520271893.927:335515): avc:  denied  { write } for  pid=24343 comm="osad" name="common" dev="dm-1" ino=654732 scontext=system_u:system_r:osad_t:s0 tcontext=sys
tem_u:object_r:lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1520271893.927:335515): arch=x86_64 syscall=open success=no exit=EACCES a0=177b400 a1=2c1 a2=81a4 a3=7effc9e4c610 items=0 ppid=1 pid=24343 auid=4294967295 u
id=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=osad exe=/usr/bin/python2.7 subj=system_u:system_r:osad_t:s0 key=(null)

Hash: osad,osad_t,lib_t,dir,write

Matthew Wilkinson | Lead Server Administrator, Unix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180305/04025fcf/attachment.htm>

More information about the Spacewalk-list mailing list