I am also having this issue. Applying various SELinux fixes using sealert seems to be able to get it working again, but agree that it’s a band-aid and that the packages should be updated to allow proper PAM auth for Spacewalk with SELinux.
--Matthew Wilkinson From: [email protected] [mailto:[email protected]] On Behalf Of Olli Rajala Sent: Tuesday, January 02, 2018 04:38 To: Aleksander Baranowski Cc: [email protected] Subject: Re: [Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux [This is an external email. Be cautious with links, attachments and responses.] ________________________________ Hi, Didn't know about the yum history command, thanks for tip! Below you can find the info I think is relevant. I suppose that the following update done at 2017-09-27 broke the PAM auth: selinux-policy-3.13.1-102.el7_3.16.noarch -> 3.13.1-166.el7_4.4.noarch After downgrading selinux-policy (+ other necessary dependencies) to the 3.13.1-102, PAM authentication started working again. I've done previously custom selinux-policies as you described, but I think it's only a band aid. The proper way is to fix the selinux-policy -package. I suppose I should create a ticket about this to Redhat + CentOS bug reporting systems? $ sudo yum history Loaded plugins: fastestmirror, versionlock ID | Login user | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 41 | <> | 2017-12-11 09:36 | E, I, O, U | 89 EE 40 | <> | 2017-09-27 13:00 | E, I, O, U | 322 EE Update 40: Updated selinux-policy-3.13.1-102.el7_3.16.noarch @updates Update 3.13.1-166.el7_4.4.noarch @updates Updated selinux-policy-targeted-3.13.1-102.el7_3.16.noarch @updates Update 3.13.1-166.el7_4.4.noarch @updates Update 41: Updated selinux-policy-3.13.1-166.el7_4.4.noarch @updates Update 3.13.1-166.el7_4.7.noarch @updates Updated selinux-policy-targeted-3.13.1-166.el7_4.4.noarch @updates Update 3.13.1-166.el7_4.7.noarch @updates Downgraded packages: firewalld-0.4.3.2-8.el7.noarch.rpm firewalld-filesystem-0.4.3.2-8.el7.noarch.rpm python-firewall-0.4.3.2-8.el7.noarch.rpm selinux-policy-3.13.1-102.el7_3.16.noarch.rpm selinux-policy-targeted-3.13.1-102.el7_3.16.noarch.rpm -Olli On Tue, Jan 2, 2018 at 11:55 AM, Aleksander Baranowski <[email protected]<mailto:[email protected]>> wrote: Hi, I believe that it would be easier if you attach update log. You can use `yum history` for that purpose. First solution: This is lucky guess, but selinux-policy* was probably updated, you can always try downgrading. Second solution: Note that below solution is quite bruteforce :) Install setroubleshoot-server. sealert -a /var/log/audit/audit.log would give you recipe for new SELinux policy. As said before - it's not the best solution (you will probably need repeat sealert) I know that both of them are much more like hot patching instead of resolving root cause, but this is what comes to my mind. Bests, Alex On 01/02/2018 10:40 AM, Olli Rajala wrote: Hi, We had working PAM authentication in our Spacewalk 2.6 running on CentOS 7.4.1708, and it was updated + rebooted today. After some update during autumn PAM authentication stopped working. Unfortunately I can't be more specific. I know when it worked (24.7.2017), but not when it stopped. Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just fine, so this is related to CentOS 7. The issue is the same as described in this post: https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007.html Raw Audit Messages type=AVC msg=audit(1514881078.526:6091): avc: denied { create } for pid=1037 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/java from getattr access on the direry /var/log/rhn. $ rpm -qa | grep spacewalk-selinux spacewalk-selinux-2.3.2-1.el7.noarch Any ideas? Disabling SELinux is not a possibility. Luckily we can login with local accounts, but would prefer PAM authentication. BR, -- Olli Rajala Finland _______________________________________________ Spacewalk-list mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/spacewalk-list -- Aleksander Baranowski System Engineer / DevOps -- Olli Rajala Ravoltek Vaasa, Finland http://www.ravoltek.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ravoltek.net&d=DwMFaQ&c=GUDVeAVg1gjs_GJkmwL1m3gEzDND7NeJG5BIAX_2yRE&r=zxSMv3Yyn0u8GiLjBm805qsHQ-PQnlWklaJFaNwJsRdou0Rx32Ld6bt57-Tq1kdA&m=j9iSrd6bQ7Au5HqHDMvj40NeDoujqt0mtlIOQZAaxqg&s=NbXDJFySkJiZRoCl4Zy6bncOYQbX76BvpeD8OvaBcNw&e=>
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
