[Spacewalk-list] Spacewalk 2.9 / Proxy and Selinux

Andy Warring kazonuk at gmail.com
Fri Apr 26 13:01:45 UTC 2019 

Hi,

I have installed the latest Spacewalk Proxy packages on a CentOS 7.AMI from
Amazon - CentOS Linux 7 x86_64 HVM EBS ENA 1901_01 but an instance tries to
register through it to our Spacewalk Master it gets the following error:

PYCURL ERROR 22 - "The requested URL returned error: 500 Internal Server
Error"

If we disable SELinux on the Proxy, this then works ok.

I have checked that the Proxy has installed the spacewalk-proxy-selinux
package

rpm -ql spacewalk-proxy-selinux
/usr/sbin/spacewalk-proxy-selinux-enable
/usr/share/doc/spacewalk-proxy-selinux-2.8.3
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.fc
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.if
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.te
/usr/share/selinux/devel/include/apps/spacewalk-proxy.if
/usr/share/selinux/mls/spacewalk-proxy.pp
/usr/share/selinux/strict/spacewalk-proxy.pp
/usr/share/selinux/targeted/spacewalk-proxy.pp

semodule -l | grep spacewalk-proxy
this returned no results!

So I imported the following - semodle -i
/usr/share/selinux/targeted/spacewalk-proxy.pp

[root at euw2c660swproxy01 strict]# semodule -l | grep spacewalk-proxy
spacewalk-proxy 2.8.3.1

But this didn't resolve the issue.

So next I ran sealert on the audit.log

this prompted the following actions:

ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -i my-httpd.pp

the my-httpd.te contained:
module my-httpd 1.0;

require {
        type var_log_t;
        type smtp_port_t;
        type rhnsd_conf_t;
        type httpd_t;
        type var_t;
        type var_spool_t;
        type http_cache_port_t;
        class tcp_socket name_connect;
        class dir { add_name read remove_name write };
        class file { create getattr lock open read rename unlink write };
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t http_cache_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t rhnsd_conf_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow httpd_t smtp_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t var_log_t:file open;

#!!!! This avc is allowed in the current policy
allow httpd_t var_spool_t:dir { add_name read remove_name write };

#!!!! WARNING: 'var_spool_t' is a base type.
allow httpd_t var_spool_t:file unlink;

#!!!! This avc is allowed in the current policy
allow httpd_t var_spool_t:file { create rename write };

#!!!! This avc is allowed in the current policy
allow httpd_t var_t:file { getattr lock open read write };

-----------------

When I then imported my-httpd.pp then things started to work. I was able to
register a client through the Proxy with Selinux set to Enforcing, but why
is this the case?

I would expect this to work by just installing spacewalk-proxy-selinux
(which is installed).

The errors are similar to this -
https://bugzilla.redhat.com/show_bug.cgi?id=1365569 but I can confirm that
the fixes in this ticket are in the
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.te - on this
Proxy server.

Appreciate any help / insight into how I can fix this (without having
disable selinux or add this additional module file)

many thanks

Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20190426/bd596762/attachment.htm>

More information about the Spacewalk-list mailing list