On Wed, 3 Jan 2018 13:29:04, Michael Mraka <[email protected]> wrote: >Olli Rajala: >> Hi, >> We had working PAM authentication in our Spacewalk 2.6 running on >> CentOS 7.4.1708, and it was updated + rebooted today. After some >> update during autumn PAM authentication stopped working. Unfortunately >> I can't be more specific. I know when it worked (24.7.2017), but not when it >> stopped. >> Another instance of Spacewalk 2.6 on CentOS 6.9 seems to work just >> fine, so this is related to CentOS 7. >> >> The issue is the same as described in this post: >> https://www.redhat.com/archives/spacewalk-list/2017-September/msg00007 >> .html >> >> Raw Audit Messages >> type=AVC msg=audit(1514881078.526:6091): avc: denied { create } for >> pid=1037 comm="java" scontext=system_u:system_r:tomcat_t:s0 >> tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket >> >> SELinux is preventing >> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/j >> ava from getattr access on the direry /var/log/rhn. >> >> $ rpm -qa | grep spacewalk-selinux >> spacewalk-selinux-2.3.2-1.el7.noarch >> >> Any ideas? Disabling SELinux is not a possibility. > >Hello Olli, > >This issue has been already fixed in Spacewalk 2.7 (together with number of >other tomcat_t issues). Is there a specific reason why you are usingolder (and >unsupported) version? > >> Luckily we can login with local accounts, but would prefer PAM >> authentication. >> >> BR, >> -- >> Olli Rajala >> Finland > >Regards, > >-- >Michael Mr?ka >System Management Engineering, Red Hat >
Hi Michael, I beg to differ. I upgraded to Spacewalk 2.7 at about the same time as the 7.4 updates came out and it took me a long time to figure out that the SELinux policies are what broke PAM. I didn't get them fixed until just before Christmas. While upgrading to SW 2.7 fixed a lot of issues with the 7.4 policy, the PAM sssd module still had problems accessing the krb5.conf file, and tomcat had problems accessing pam. Here's the notes I wrote for our internal team on the steps I took to resolve the PAM authentication issue: "So I've finally got Spacewalk AD authentication working again. My PAM configuration is fine. The first clue was an SELinux error in /var/log/messages that sssd couldn't access krb5.conf: Dec 21 17:28:44 dc1-lsw01 python: SELinux is preventing /usr/libexec/sssd/sssd_be from write access on the file /etc/krb5.conf.#012#012***** Plugin catchall_labels (83.8 confidence) suggests *******************#012#012If you want to allow sssd_be to have write access on the krb5.conf file#012Then you need to change the label on /etc/krb5.conf#012Do#012# semanage fcontext -a -t FILE_TYPE '/etc/krb5.conf'#012where FILE_TYPE is one of the following: abrt_var_cache_t, afs_cache_t, auth_cache_t, faillog_t, gkeyringd_tmp_t, initrc_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, puppet_tmp_t, security_t, selinux_login_config_t, sssd_public_t, sssd_var_lib_t, sssd_var_log_t, sssd_var_run_t, user_cron_spool_t, user_tmp_t.#012Then execute:#012restorecon -v '/etc/krb5.conf'#012#012#012***** Plugin catchall (17.1 confidence) suggests **************************#012#012If you believe that sssd_be should be allowed write access on the krb5. conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sssd_be' --raw | audit2allow -M my-sssdbe#012# semodule -i my-sssdbe.pp#012 That led me to a post about CentOS 7.4 SELinux breaking a bunch of Spacewalk 2.6 stuff and not all of it fixed with Spacewalk 2.7. So I fixed that above error with the recommended ausearch/audit2allow command. Then I started seeing the following in /var/log/secure Dec 21 17:58:16 dc1-lsw01 java: PAM audit_log_acct_message() failed: Permission denied which led me to https://www.endpoint.com/blog/2013/11/20/selinux-fix-for-sudo-pam and when I tried to turn off SELinux enforcement, authentication by PAM sssd started working. So then I ran through the rest of the process in that latter blog entry, looked again in /var/log/messages, saw new SELinux errors about java (Spacewalk's Tomcat) and ran those through ausearch/audit2allow. And we're good to go again." If you follow the endpoint blog link, you'll see that I was not the only person to find that not all SW 2.7 issues with the new SELinux policy have been resolved. Paul-Andre Panon Senior systems administrator _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
