Description of problem: SELinux setup fails, and the install script improperly continues Version-Release number of selected component (if applicable): spacewalk-setup-2.2.13-1.el6.noarch How reproducible: following outline at: http://sunlnx.blogspot.com/2014/12/installation-of-spacewalk-centos-66_2.html?m=1 on a Centos 6 box, updated to current with SELinux enabled Steps to Reproduce: fresh install 24 yum install spacewalk-setup-postgresql screen rsync 25 yum install spacewalk-setup-postgresql 26 yum install spacewalk-postgresql 27 yum clean all 28 df -h 29 yum -y upgrade 30 spacewalk-setup --disconnected 31 df 32 tail /var/log/rhn/rhn_installation.log 33 mv /var/log/rhn/rhn_installation.log /var/log/rhn/rhn_installation.log-try1 no intermediate reboot, but ... Actual results: [root@vm010004017 yum.repos.d]# cat /var/log/rhn/rhn_installation.log-try1 Installation log of Spacewalk Command: /usr/bin/spacewalk-setup Running /usr/sbin/spacewalk-selinux-enable Running /usr/sbin/spacewalk-monitoring-selinux-enable SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: Invalid argument /sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/semodule: Failed! Running /usr/sbin/osa-dispatcher-selinux-enable at this point, an undetected SELinux failure has occurred, and the script should report it and stop ... instead it plows on Expected results: the expectation is for a script that either succeeds, or fails and optionally suggests how to correct the matter Additional info:
Does the Spacewalk server (post installation) work or does it seem to be affected by that error message? If you run bash -x /usr/sbin/spacewalk-monitoring-selinux-enable, what is the output? Is there anything of interest in /var/log/audit/audit.log?
this looks normal Last login: Wed Dec 3 12:12:19 2014 from centos-6.first.owlriver.net [root@spacewalk1 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/vda1 16G 2.2G 13G 15% / tmpfs 499M 0 499M 0% /dev/shm [root@spacewalk1 ~]# sync [root@spacewalk1 ~]# bash -x /usr/sbin/spacewalk-monitoring-selinux-enable + for selinuxvariant in mls strict targeted + /usr/sbin/semodule -s mls -l + : + for selinuxvariant in mls strict targeted + /usr/sbin/semodule -s strict -l + : + for selinuxvariant in mls strict targeted + /usr/sbin/semodule -s targeted -l + /usr/sbin/semodule -s targeted -i /usr/share/selinux/targeted/spacewalk-monitoring.pp + /sbin/restorecon -vi /etc/NOCpulse.ini + /sbin/restorecon -rv /etc/rc.d/np.d /etc/notification /var/lib/nocpulse /var/lib/notification /var/log/nocpulse /usr/share/nocpulse/cgi-bin + /sbin/restorecon -rvi '/var/log/SysVStep.*' '/var/run/SysVStep.*' [root@spacewalk1 ~]# [root@spacewalk1 ~]# grep -v "success" /var/log/audit/audit.log | wc -l 2125 type=LOGIN msg=audit(1418069702.010:10495): pid=27154 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=497 old ses=4294967295 new ses=583 type=CONFIG_CHANGE msg=audit(1418070216.147:5): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=LOGIN msg=audit(1418070552.765:26): pid=1140 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1 type=LOGIN msg=audit(1418070601.572:36): pid=1161 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=497 old ses=4294967295 new ses=2 type=MAC_POLICY_LOAD msg=audit(1418070622.500:40): policy loaded auid=0 ses=1 [root@spacewalk1 ~]# Value of seconds since Epoch: 1418070216 is: Mon, 08 Dec 2014 20:23:36 +0000 http://www.first.owlriver.net/time-decoder/ Current time() is: 1418070774 I will reset the audit log, and do a relabel, to get rid of clutter
and with a cleaned audit log, a touch '/.autorelabel', and a reboot, an empty selinux log [root@spacewalk1 ~]# grep -v "success" /var/log/audit/audit.log | wc -l 0 [root@spacewalk1 ~]# bash -x /usr/sbin/spacewalk-monitoring-selinux-enable + for selinuxvariant in mls strict targeted + /usr/sbin/semodule -s mls -l + : + for selinuxvariant in mls strict targeted + /usr/sbin/semodule -s strict -l + : + for selinuxvariant in mls strict targeted + /usr/sbin/semodule -s targeted -l + /usr/sbin/semodule -s targeted -i /usr/share/selinux/targeted/spacewalk-monitoring.pp + /sbin/restorecon -vi /etc/NOCpulse.ini + /sbin/restorecon -rv /etc/rc.d/np.d /etc/notification /var/lib/nocpulse /var/lib/notification /var/log/nocpulse /usr/share/nocpulse/cgi-bin + /sbin/restorecon -rvi '/var/log/SysVStep.*' '/var/run/SysVStep.*' [root@spacewalk1 ~]# grep -v "success" /var/log/audit/audit.log | wc -l 0 [root@spacewalk1 ~]# Please advise if anything else is wanted
Then re-running the script initially complained of ends: Installation complete. Visit https://spacewalk1.first.owlriver.net to create the Spacewalk administrator account. [root@spacewalk1 ~]# wc -l /var/log/rhn/install_db.log 2 /var/log/rhn/install_db.log so the issue is still that the script needs to 'die' better
actually the script does not check that port 443 is oipen in iptables / firewall I will file this bug separately Firefox can't establish a connection to the server at spacewalk1.first.owlriver.net.
(In reply to R P Herrold from comment #2) > > [root@spacewalk1 ~]# grep -v "success" /var/log/audit/audit.log | wc -l > 2125 So what are the error messages from the time you run the spacewalk-setup for the first time?
As reported to stdout / stderr, they were: Running /usr/sbin/spacewalk-monitoring-selinux-enable SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: Invalid argument /sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/semodule: Failed! per the initial filing as to /var/log/audit/audit_log, the relevant ones need some trimming to see. I used:this, to see all the messages not from ssh, or the crond, or indicating a success from the time frame in question Value of seconds since Epoch: 1417555907 is: Tue, 02 Dec 2014 21:31:47 +0000 Value of seconds since Epoch: 1418070552 is: Mon, 08 Dec 2014 20:29:12 +0000 the bug was filed 2014-12-03 14:14:23 EST so anything after 1417728707 (48 hr later) is probably not in scope ([root@spacewalk1 audit]# echo "1417555907 + 86400 + 86400 " | bc 1417728707) [root@spacewalk1 audit]# grep -v "sbin/sshd" audit.log-aside | grep -v "res=success" | grep -v "system_r:crond_" | grep -v "success=yes" | wc -l 20 [root@spacewalk1 audit]# grep -v "sbin/sshd" audit.log-aside | grep -v "res=success" | grep -v "system_r:crond_" | grep -v "success=yes" > initial-audit.txt [root@spacewalk1 audit]# cat initial-audit.txt type=CONFIG_CHANGE msg=audit(1417555907.189:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1417555972.229:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=LOGIN msg=audit(1417556736.610:15): pid=1188 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1 type=LOGIN msg=audit(1417556751.346:40): pid=1195 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2 type=MAC_POLICY_LOAD msg=audit(1417559241.838:63): policy loaded auid=0 ses=2 type=CONFIG_CHANGE msg=audit(1417559333.377:69): audit_backlog_limit=320 old=320 auid=0 ses=2 subj=unconfined_u:system_r:auditctl_t:s0 res=1 type=MAC_POLICY_LOAD msg=audit(1417618352.279:185): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1417619108.231:202): policy loaded auid=0 ses=2 type=MAC_CONFIG_CHANGE msg=audit(1417620650.257:215): bool=httpd_can_network_connect val=1 old_val=0 auid=0 ses=2 type=MAC_CONFIG_CHANGE msg=audit(1417621409.744:216): bool=httpd_can_sendmail val=1 old_val=0 auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1417622001.121:223): policy loaded auid=0 ses=2 type=LOGIN msg=audit(1417626738.715:276): pid=15087 uid=0 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=0 new auid=0 old ses=2 new ses=32 type=MAC_POLICY_LOAD msg=audit(1417627112.882:290): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1417628916.083:303): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1417629148.015:304): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1417629530.046:305): policy loaded auid=0 ses=2 type=CONFIG_CHANGE msg=audit(1417651067.258:5): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1418070216.147:5): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=LOGIN msg=audit(1418070552.765:26): pid=1140 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1 type=MAC_POLICY_LOAD msg=audit(1418070622.500:40): policy loaded auid=0 ses=1 [root@spacewalk1 audit]#
(In reply to R P Herrold from comment #7) > As reported to stdout / stderr, they were: > > Running /usr/sbin/spacewalk-monitoring-selinux-enable > SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: > Invalid argument > /sbin/load_policy: Can't load policy: Invalid argument > libsemanage.semanage_reload_policy: load_policy returned error code 2. > /usr/sbin/semodule: Failed! I'm currntly out of ideas about the cause.
Is this still an active issue?
did not see this question -- tagging on needinfo to self to check
Spacewalk 2.8 and older has already reached it's End Of Life. Thank you for reporting this issue and we are sorry that we were not able to fix it before end of life. If you would still like to see this bug fixed and are able to reproduce it against current version of Spacewalk 2.9, you are encouraged change the 'version' and re-open it.