Description of problem: Spacewalk has some SELinux troubles on RHEL 7.4 see bz1451318 they already fixed most of it, except spacewalk_log_t bz1451318#c3 /var/log/audit/audit.log type=AVC msg=audit(1495181220.108:381): avc: denied { search } for pid=19962 comm="java" name="rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir type=SYSCALL msg=audit(1495181220.108:381): arch=c000003e syscall=2 success=no exit=-13 a0=7f99a0621390 a1=441 a2=1b6 a3=1c items=0 ppid=1 pid=19962 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=PROCTITLE msg=audit(1495181220.108:381): proctitle=2F7573722F6C69622F6A766D2F6A72652F62696E2F6A617661002D6561002D586D733235366D002D586D783235366D002D446A6176612E6177742E686561646C6573733D74727565002D446F72672E786D6C2E7361782E6472697665723D6F72672E6170616368652E7865726365732E706172736572732E5341585061727365 type=AVC msg=audit(1495181220.108:382): avc: denied { getattr } for pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir type=SYSCALL msg=audit(1495181220.108:382): arch=c000003e syscall=4 success=no exit=-13 a0=7f99a063c300 a1=7f99c18d3ad0 a2=7f99c18d3ad0 a3=c items=0 ppid=1 pid=19962 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) # audit2why -a type=AVC msg=audit(1495181220.108:381): avc: denied { search } for pid=19962 comm="java" name="rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1495181220.108:382): avc: denied { getattr } for pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1495181220.108:383): avc: denied { getattr } for pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1495181220.108:384): avc: denied { getattr } for pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. # audit2allow -a #============= tomcat_t ============== allow tomcat_t spacewalk_log_t:dir { getattr search }; Version-Release number of selected component (if applicable): RHEL-7.4-20170518.n.0 Server selinux-policy-3.13.1-150.el7.noarch spacewalk-selinux-2.3.2-1.el7.noarch
BZ#1451318 mentions following rule: allow tomcat_t spacewalk_data_t:dir search; but spacewalk_data_t is not defined in selinux-policy either # rpm -qa selinux-policy\* selinux-policy-3.13.1-162.el7.noarch selinux-policy-targeted-3.13.1-162.el7.noarch selinux-policy-devel-3.13.1-162.el7.noarch # seinfo -tspacewalk_log_t ERROR: could not find datum for type spacewalk_log_t # seinfo -tspacewalk_data_t ERROR: could not find datum for type spacewalk_data_t # Therefore the spacewalk-selinux package should bring the above-mentioned rule too.
The latest nightly packages now appear to define spacewalk_log_t and spacewalk_data_t. # rpm -qa | grep selinux-policy selinux-policy-3.13.1-166.el7.noarch selinux-policy-devel-3.13.1-166.el7.noarch selinux-policy-targeted-3.13.1-166.el7.noarch # seinfo -tspacewalk_log_t spacewalk_log_t # seinfo -tspacewalk_data_t spacewalk_data_t # However audit2allow -a still reports: #============= tomcat_t ============== allow tomcat_t spacewalk_log_t:dir { getattr search }; I'm not real familiar with defining selinux policy rules. I suspect this rule should get added to spacewalk.te at line 35, just below: allow httpd_t spacewalk_install_log_t:file { append ioctl }; allow restorecon_t spacewalk_install_log_t:file { append }; But I'd like someone to confirm that before I make such a change.
Fixed in spacewalk.git by commit fad5b4efc950689191cb31053213807f9e24a8e9 1452560 - allow tomcat to access spacewalk logs
Spacewalk 2.7 has been released. https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes27