[Spacewalk-list] Updating to CentOS 7.5 appears to have broken Spacewalk
Paul-Andre Panon
paul-andre.panon at avigilon.com
Thu May 31 18:25:14 UTC 2018
Since updating to CentOS 7.5 and rebooting, trying to access the Spacewalk service web page generates crashes and WEB TRACEBACKs
The following exception occurred while executing this request:
GET /rhn/Login.do
…
User Information:
No User logged in.
Exception:
javax.servlet.ServletException: java.lang.RuntimeException: IOException while trying to exec: rpm -q --qf=%{VERSION}-%{RELEASE} satellite-schema
at org.apache.struts.action.RequestProcessor.processException(RequestProcessor.java:520)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:427)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:229)
at com.redhat.rhn.frontend.struts.RhnRequestProcessor.process(RhnRequestProcessor.java:105)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1926)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:451)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.redhat.rhn.frontend.servlets.AuthFilter.doFilter(AuthFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.redhat.rhn.frontend.servlets.LocalizedEnvironmentFilter.doFilter(LocalizedEnvironmentFilter.java:67)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.redhat.rhn.frontend.servlets.EnvironmentFilter.doFilter(EnvironmentFilter.java:101)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.redhat.rhn.frontend.servlets.SessionFilter.doFilter(SessionFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.redhat.rhn.frontend.servlets.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: IOException while trying to exec: rpm -q --qf=%{VERSION}-%{RELEASE} satellite-schema
at com.redhat.rhn.manager.satellite.SystemCommandExecutor.execute(SystemCommandExecutor.java:112)
at com.redhat.rhn.frontend.action.LoginHelper.getRpmSchemaVersion(LoginHelper.java:343)
at com.redhat.rhn.frontend.action.LoginHelper.isSchemaUpgradeRequired(LoginHelper.java:313)
at com.redhat.rhn.frontend.action.LoginSetupAction.execute(LoginSetupAction.java:47)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
... 45 more
Caused by: java.io.IOException: Cannot run program "rpm": error=13, Permission denied
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1048)
at java.lang.Runtime.exec(Runtime.java:620)
at java.lang.Runtime.exec(Runtime.java:485)
at com.redhat.rhn.manager.satellite.SystemCommandExecutor.execute(SystemCommandExecutor.java:71)
... 49 more
Caused by: java.io.IOException: error=13, Permission denied
at java.lang.UNIXProcess.forkAndExec(Native Method)
at java.lang.UNIXProcess.<init>(UNIXProcess.java:247)
at java.lang.ProcessImpl.start(ProcessImpl.java:134)
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)
... 52 more
I considered that it could be an SELinux violation, and sure enough “ausearch -m avc” returns
time->Thu May 31 10:49:16 2018
type=PROCTITLE msg=audit(1527788956.880:178): proctitle=2F7573722F6C69622F6A766D2F6A72652F62696E2F6A617661002D6561002D586D733235366D002D586D783235366D002D446A6176612E6177742E686561646C6573733D74727565002D446F72672E786D6C2E7361782E6472697665723D6F72672E6170616368652E7865726365732E706172736572732E5341585061727365
type=SYSCALL msg=audit(1527788956.880:178): arch=c000003e syscall=59 success=no exit=-13 a0=7f3ef1ddf859 a1=7f3f00133250 a2=7ffc8a8f7350 a3=7f3ef1ddf360 items=0 ppid=1246 pid=3186 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1527788956.880:178): avc: denied { execute } for pid=3186 comm="java" name="rpm" dev="dm-0" ino=50945303 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
(There are also errors with rpc.gssd which appears to cause issues for pam/AD integration
----
time->Thu May 31 10:45:04 2018
type=PROCTITLE msg=audit(1527788704.241:34): proctitle="/usr/sbin/rpc.gssd"
type=SYSCALL msg=audit(1527788704.241:34): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=3 a3=0 items=0 ppid=1 pid=854 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1527788704.241:34): avc: denied { block_suspend } for pid=854 comm="rpc.gssd" capability=36 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability2
The RPC.gssd issue is a known bug https://bugzilla.redhat.com/show_bug.cgi?id=1582158
)
So I ran
ausearch -c 'java' --raw | tail -3 | audit2allow -M my-java
semodule -i my-java.pp
Since Java does have a history of vulnerabilities, I can see why CentOS might not generally want to give java access to run the rpm application (and easily scan for known vulnerable packages or even install one). Just a heads up to Spacewalk people out there who are looking to upgrade to CentOS 7.5
Cheers,
Paul-Andre Panon
More information about the Spacewalk-list
mailing list