[Spacewalk-list] Spacewalk 2.9 / Proxy and Selinux
Andy Warring
kazonuk at gmail.com
Fri Apr 26 13:01:45 UTC 2019
Hi,
I have installed the latest Spacewalk Proxy packages on a CentOS 7.AMI from
Amazon - CentOS Linux 7 x86_64 HVM EBS ENA 1901_01 but an instance tries to
register through it to our Spacewalk Master it gets the following error:
PYCURL ERROR 22 - "The requested URL returned error: 500 Internal Server
Error"
If we disable SELinux on the Proxy, this then works ok.
I have checked that the Proxy has installed the spacewalk-proxy-selinux
package
rpm -ql spacewalk-proxy-selinux
/usr/sbin/spacewalk-proxy-selinux-enable
/usr/share/doc/spacewalk-proxy-selinux-2.8.3
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.fc
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.if
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.te
/usr/share/selinux/devel/include/apps/spacewalk-proxy.if
/usr/share/selinux/mls/spacewalk-proxy.pp
/usr/share/selinux/strict/spacewalk-proxy.pp
/usr/share/selinux/targeted/spacewalk-proxy.pp
semodule -l | grep spacewalk-proxy
this returned no results!
So I imported the following - semodle -i
/usr/share/selinux/targeted/spacewalk-proxy.pp
[root at euw2c660swproxy01 strict]# semodule -l | grep spacewalk-proxy
spacewalk-proxy 2.8.3.1
But this didn't resolve the issue.
So next I ran sealert on the audit.log
this prompted the following actions:
ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -i my-httpd.pp
the my-httpd.te contained:
module my-httpd 1.0;
require {
type var_log_t;
type smtp_port_t;
type rhnsd_conf_t;
type httpd_t;
type var_t;
type var_spool_t;
type http_cache_port_t;
class tcp_socket name_connect;
class dir { add_name read remove_name write };
class file { create getattr lock open read rename unlink write };
}
#============= httpd_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_t http_cache_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy
allow httpd_t rhnsd_conf_t:file { getattr open read };
#!!!! This avc is allowed in the current policy
allow httpd_t smtp_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy
allow httpd_t var_log_t:file open;
#!!!! This avc is allowed in the current policy
allow httpd_t var_spool_t:dir { add_name read remove_name write };
#!!!! WARNING: 'var_spool_t' is a base type.
allow httpd_t var_spool_t:file unlink;
#!!!! This avc is allowed in the current policy
allow httpd_t var_spool_t:file { create rename write };
#!!!! This avc is allowed in the current policy
allow httpd_t var_t:file { getattr lock open read write };
-----------------
When I then imported my-httpd.pp then things started to work. I was able to
register a client through the Proxy with Selinux set to Enforcing, but why
is this the case?
I would expect this to work by just installing spacewalk-proxy-selinux
(which is installed).
The errors are similar to this -
https://bugzilla.redhat.com/show_bug.cgi?id=1365569 but I can confirm that
the fixes in this ticket are in the
/usr/share/doc/spacewalk-proxy-selinux-2.8.3/spacewalk-proxy.te - on this
Proxy server.
Appreciate any help / insight into how I can fix this (without having
disable selinux or add this additional module file)
many thanks
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20190426/bd596762/attachment.htm>
More information about the Spacewalk-list
mailing list