Bug 1494675
| Summary: | PAM authentication no longer works after upgrading to CentOS 7.4 | ||
|---|---|---|---|
| Product: | [Community] Spacewalk | Reporter: | Michal Middleton <jafa81> |
| Component: | WebUI | Assignee: | Grant Gainey <ggainey> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.6 | CC: | aparsons, jacco, neile.havens, tkasparek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-20 12:32:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1564160 | ||
Same here, but I am using SSSD instead of Winbind: # cat /etc/pam.d/rhn-satellite auth required pam_env.so auth sufficient pam_sss.so no_user_check auth required pam_deny.so account required pam_sss.so no_user_check # tail /var/log/secure Oct 2 12:21:58 foohost java: pam_sss(rhn-satellite:auth): authentication success; logname= uid=91 euid=91 tty= ruser= rhost= user=pietjepuk Oct 2 12:21:58 foohost java: PAM audit_open() failed: Permission denied Oct 2 12:21:58 foohost java: PAM audit_open() failed: Permission denied Same here with SSSD. This looks to be a duplicate of https://bugzilla.redhat.com/show_b.ug.cgi?id=1517791 (In reply to neile.havens from comment #2) > Same here with SSSD. > > This looks to be a duplicate of > https://bugzilla.redhat.com/show_b.ug.cgi?id=1517791 Sorry, incorrect link in my first comment. Here's the correct link: https://bugzilla.redhat.com/show_bug.cgi?id=1517791 spacewalk.git(master): daf37e6008e2ddea13bc193c1d36a66dd88a87e8 Moving ON_QA Spacewalk 2.8 has been released. https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28 |
Description of problem: PAM authentication no longer working for WebUI after upgrading to CentOS 7.4 Version-Release number of selected component (if applicable): 2.6 and 2.7 How reproducible: Steps to Reproduce: 1. We use winbind via PAM to allow AD login to our Spacewalk. After updating to centos 7.4 the AD login no longer works. Configuration: rhn.conf: "pam_auth_service = rhn-satellite" cat /etc/pam.d/rhn-satellite auth sufficient pam_winbind.so account sufficient pam_winbind.so password sufficient pam_winbind.so use_authtok 2. /var/log/messages: Sep 22 11:56:55 swlk01 java: pam_winbind(rhn-satellite:auth): getting password (0x00000000) Sep 22 11:56:55 swlk01 java: pam_winbind(rhn-satellite:auth): user 'me' granted access Sep 22 11:56:55 swlk01 java: PAM audit_open() failed: Permission denied Sep 22 11:56:55 swlk01 java: PAM audit_open() failed: Permission denied Actual results: AD login doesn't work Additional info: The issue (and solution) appears to be in SELinux. I was able to get everything working by creating my custom SELinux module. Here is the TE that solved my issue: #--cut module spacewalk-fix 1.1; require { type osa_dispatcher_t; type tomcat_t; type spacewalk_log_t; type osad_exec_t; class dir { getattr search }; class file { getattr open }; class netlink_audit_socket { create nlmsg_relay read write }; } #============= osa_dispatcher_t ============== allow osa_dispatcher_t osad_exec_t:file getattr; #============= tomcat_t ============== allow tomcat_t self:netlink_audit_socket { create nlmsg_relay read write }; allow tomcat_t spacewalk_log_t:dir { getattr search }; allow tomcat_t spacewalk_log_t:file open; #--cut While it addresses two different issues, I believe the main problem was with "netlink_audit_socket"