Bug 1170317

Summary: spacewalk-setup-2.2.13-1 raises SELinux error, and does not halt
Product: [Community] Spacewalk Reporter: R P Herrold <herrold>
Component: InstallationAssignee: Michael Mráka <mmraka>
Status: CLOSED EOL QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.2CC: herrold, mmraka
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1171890 (view as bug list) Environment:
Last Closed: 2019-07-12 08:50:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1171890    

Description R P Herrold 2014-12-03 19:14:23 UTC 
Description of problem:

SELinux setup fails, and the install script improperly continues

Version-Release number of selected component (if applicable):
spacewalk-setup-2.2.13-1.el6.noarch

How reproducible:

following outline at:
http://sunlnx.blogspot.com/2014/12/installation-of-spacewalk-centos-66_2.html?m=1

on a Centos 6 box, updated to current

with SELinux enabled


Steps to Reproduce:

fresh install

   24  yum install spacewalk-setup-postgresql screen rsync
   25  yum install spacewalk-setup-postgresql
   26  yum install spacewalk-postgresql
   27  yum clean all
   28  df -h
   29  yum -y upgrade
   30  spacewalk-setup --disconnected
   31  df
   32  tail /var/log/rhn/rhn_installation.log
   33  mv /var/log/rhn/rhn_installation.log /var/log/rhn/rhn_installation.log-try1

no intermediate reboot, but ...


Actual results:

[root@vm010004017 yum.repos.d]# cat /var/log/rhn/rhn_installation.log-try1
Installation log of Spacewalk
Command: /usr/bin/spacewalk-setup

Running /usr/sbin/spacewalk-selinux-enable
Running /usr/sbin/spacewalk-monitoring-selinux-enable
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.24:  Invalid argument
/sbin/load_policy:  Can't load policy:  Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semodule:  Failed!
Running /usr/sbin/osa-dispatcher-selinux-enable

at this point, an undetected SELinux failure has occurred, and the script should report it and stop ... instead it plows on 

Expected results:

the expectation is for a script that either succeeds, or fails and optionally suggests how to correct the matter

Additional info:
Comment 1 Jan Pazdziora (Red Hat) 2014-12-08 09:27:24 UTC 
Does the Spacewalk server (post installation) work or does it seem to be affected by that error message?

If you run bash -x /usr/sbin/spacewalk-monitoring-selinux-enable, what is the output? Is there anything of interest in /var/log/audit/audit.log?
Comment 2 R P Herrold 2014-12-08 20:33:53 UTC 
this looks normal

Last login: Wed Dec  3 12:12:19 2014 from centos-6.first.owlriver.net
[root@spacewalk1 ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/vda1        16G  2.2G   13G  15% /
tmpfs           499M     0  499M   0% /dev/shm
[root@spacewalk1 ~]# sync
[root@spacewalk1 ~]#  bash -x /usr/sbin/spacewalk-monitoring-selinux-enable
+ for selinuxvariant in mls strict targeted
+ /usr/sbin/semodule -s mls -l
+ :
+ for selinuxvariant in mls strict targeted
+ /usr/sbin/semodule -s strict -l
+ :
+ for selinuxvariant in mls strict targeted
+ /usr/sbin/semodule -s targeted -l
+ /usr/sbin/semodule -s targeted -i /usr/share/selinux/targeted/spacewalk-monitoring.pp
+ /sbin/restorecon -vi /etc/NOCpulse.ini
+ /sbin/restorecon -rv /etc/rc.d/np.d /etc/notification /var/lib/nocpulse /var/lib/notification /var/log/nocpulse /usr/share/nocpulse/cgi-bin
+ /sbin/restorecon -rvi '/var/log/SysVStep.*' '/var/run/SysVStep.*'
[root@spacewalk1 ~]#


[root@spacewalk1 ~]# grep -v "success"  /var/log/audit/audit.log | wc -l
2125

type=LOGIN msg=audit(1418069702.010:10495): pid=27154 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=497 old ses=4294967295 new ses=583
type=CONFIG_CHANGE msg=audit(1418070216.147:5): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=LOGIN msg=audit(1418070552.765:26): pid=1140 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=LOGIN msg=audit(1418070601.572:36): pid=1161 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=497 old ses=4294967295 new ses=2
type=MAC_POLICY_LOAD msg=audit(1418070622.500:40): policy loaded auid=0 ses=1
[root@spacewalk1 ~]#

Value of seconds since Epoch: 1418070216   is:
Mon, 08 Dec 2014 20:23:36 +0000
http://www.first.owlriver.net/time-decoder/
Current time() is: 1418070774

I will reset the audit log, and do a relabel, to get rid of clutter
Comment 3 R P Herrold 2014-12-08 20:42:16 UTC 
and with a cleaned audit log, a touch '/.autorelabel', and a reboot, an empty selinux log

[root@spacewalk1 ~]#  grep -v "success"  /var/log/audit/audit.log | wc -l
0
[root@spacewalk1 ~]#  bash -x /usr/sbin/spacewalk-monitoring-selinux-enable
+ for selinuxvariant in mls strict targeted
+ /usr/sbin/semodule -s mls -l
+ :
+ for selinuxvariant in mls strict targeted
+ /usr/sbin/semodule -s strict -l
+ :
+ for selinuxvariant in mls strict targeted
+ /usr/sbin/semodule -s targeted -l
+ /usr/sbin/semodule -s targeted -i /usr/share/selinux/targeted/spacewalk-monitoring.pp
+ /sbin/restorecon -vi /etc/NOCpulse.ini
+ /sbin/restorecon -rv /etc/rc.d/np.d /etc/notification /var/lib/nocpulse /var/lib/notification /var/log/nocpulse /usr/share/nocpulse/cgi-bin
+ /sbin/restorecon -rvi '/var/log/SysVStep.*' '/var/run/SysVStep.*'
[root@spacewalk1 ~]#  grep -v "success"  /var/log/audit/audit.log | wc -l
0
[root@spacewalk1 ~]#


Please advise if anything else is wanted
Comment 4 R P Herrold 2014-12-08 20:55:37 UTC 
Then re-running the script initially complained of ends:

Installation complete.
Visit https://spacewalk1.first.owlriver.net to create the Spacewalk administrator account.
[root@spacewalk1 ~]# wc -l /var/log/rhn/install_db.log
2 /var/log/rhn/install_db.log


so the issue is still that the script needs to 'die' better
Comment 5 R P Herrold 2014-12-08 20:56:53 UTC 
actually the script does not check that port 443 is oipen in iptables / firewall

I will file this bug separately

Firefox can't establish a connection to the server at spacewalk1.first.owlriver.net.
Comment 6 Jan Pazdziora (Red Hat) 2014-12-09 07:33:23 UTC 
(In reply to R P Herrold from comment #2)
> 
> [root@spacewalk1 ~]# grep -v "success"  /var/log/audit/audit.log | wc -l
> 2125

So what are the error messages from the time you run the spacewalk-setup for the first time?
Comment 7 R P Herrold 2014-12-09 21:36:53 UTC 
As reported to stdout / stderr, they were:

Running /usr/sbin/spacewalk-monitoring-selinux-enable
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.24:  Invalid argument
/sbin/load_policy:  Can't load policy:  Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semodule:  Failed!

per the initial filing

as to /var/log/audit/audit_log, the relevant ones need some trimming to see.  I used:this, to see all the messages not from ssh, or the crond, or indicating a success from the time frame in question

Value of seconds since Epoch: 1417555907   is:
Tue, 02 Dec 2014 21:31:47 +0000

Value of seconds since Epoch: 1418070552   is:
Mon, 08 Dec 2014 20:29:12 +0000

the bug was filed 2014-12-03 14:14:23 EST so anything after 1417728707 (48 hr later) is probably not in scope

([root@spacewalk1 audit]# echo "1417555907 + 86400 + 86400 " | bc
1417728707)

[root@spacewalk1 audit]# grep -v "sbin/sshd" audit.log-aside | grep -v "res=success" | grep -v "system_r:crond_" | grep -v "success=yes" | wc -l
20
[root@spacewalk1 audit]# grep -v "sbin/sshd" audit.log-aside | grep -v "res=success" | grep -v "system_r:crond_" | grep -v "success=yes" > initial-audit.txt

[root@spacewalk1 audit]# cat initial-audit.txt                              
type=CONFIG_CHANGE msg=audit(1417555907.189:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1        
type=CONFIG_CHANGE msg=audit(1417555972.229:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1        
type=LOGIN msg=audit(1417556736.610:15): pid=1188 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=LOGIN msg=audit(1417556751.346:40): pid=1195 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2
type=MAC_POLICY_LOAD msg=audit(1417559241.838:63): policy loaded auid=0 ses=2
type=CONFIG_CHANGE msg=audit(1417559333.377:69): audit_backlog_limit=320 old=320 auid=0 ses=2 subj=unconfined_u:system_r:auditctl_t:s0 res=1
type=MAC_POLICY_LOAD msg=audit(1417618352.279:185): policy loaded auid=0 ses=2
type=MAC_POLICY_LOAD msg=audit(1417619108.231:202): policy loaded auid=0 ses=2
type=MAC_CONFIG_CHANGE msg=audit(1417620650.257:215): bool=httpd_can_network_connect val=1 old_val=0 auid=0 ses=2
type=MAC_CONFIG_CHANGE msg=audit(1417621409.744:216): bool=httpd_can_sendmail val=1 old_val=0 auid=0 ses=2
type=MAC_POLICY_LOAD msg=audit(1417622001.121:223): policy loaded auid=0 ses=2
type=LOGIN msg=audit(1417626738.715:276): pid=15087 uid=0 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=0 new auid=0 old ses=2 new ses=32
type=MAC_POLICY_LOAD msg=audit(1417627112.882:290): policy loaded auid=0 ses=2
type=MAC_POLICY_LOAD msg=audit(1417628916.083:303): policy loaded auid=0 ses=2
type=MAC_POLICY_LOAD msg=audit(1417629148.015:304): policy loaded auid=0 ses=2
type=MAC_POLICY_LOAD msg=audit(1417629530.046:305): policy loaded auid=0 ses=2
type=CONFIG_CHANGE msg=audit(1417651067.258:5): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1418070216.147:5): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=LOGIN msg=audit(1418070552.765:26): pid=1140 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=MAC_POLICY_LOAD msg=audit(1418070622.500:40): policy loaded auid=0 ses=1
[root@spacewalk1 audit]#
Comment 8 Jan Pazdziora (Red Hat) 2014-12-15 07:47:56 UTC 
(In reply to R P Herrold from comment #7)
> As reported to stdout / stderr, they were:
> 
> Running /usr/sbin/spacewalk-monitoring-selinux-enable
> SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.24:
> Invalid argument
> /sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> /usr/sbin/semodule:  Failed!

I'm currntly out of ideas about the cause.
Comment 9 Jan Pazdziora (Red Hat) 2017-10-18 08:04:31 UTC 
Is this still an active issue?
Comment 10 R P Herrold 2018-05-10 20:48:47 UTC 
did not see this question -- tagging on needinfo to self to check
Comment 11 Michael Mráka 2019-07-12 08:50:15 UTC 
Spacewalk 2.8 and older has already reached it's End Of Life.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before end of life. If you would still like
to see this bug fixed and are able to reproduce it against current version
of Spacewalk 2.9, you are encouraged change the 'version' and re-open it.