Bug 1494675 - PAM authentication no longer works after upgrading to CentOS 7.4
Summary: PAM authentication no longer works after upgrading to CentOS 7.4
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: WebUI
Version: 2.6
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Grant Gainey
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space28
TreeView+ depends on / blocked
 
Reported: 2017-09-22 19:20 UTC by Michal Middleton
Modified: 2018-04-20 12:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-20 12:32:22 UTC
Embargoed:

Attachments (Terms of Use)

Description Michal Middleton 2017-09-22 19:20:53 UTC 
Description of problem:
PAM authentication no longer working for WebUI after upgrading to CentOS 7.4

Version-Release number of selected component (if applicable):
2.6 and 2.7

How reproducible:


Steps to Reproduce:
1.
We use winbind via PAM to allow AD login to our Spacewalk. After updating to centos 7.4 the AD login no longer works. 
 
Configuration: 
rhn.conf: "pam_auth_service = rhn-satellite"

cat /etc/pam.d/rhn-satellite
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok

2.
/var/log/messages:
Sep 22 11:56:55 swlk01 java: pam_winbind(rhn-satellite:auth): getting password (0x00000000)
Sep 22 11:56:55 swlk01 java: pam_winbind(rhn-satellite:auth): user 'me' granted access
Sep 22 11:56:55 swlk01 java: PAM audit_open() failed: Permission denied
Sep 22 11:56:55 swlk01 java: PAM audit_open() failed: Permission denied



Actual results:
AD login doesn't work

Additional info:
The issue (and solution) appears to be in SELinux. 
I was able to get everything working by creating my custom SELinux module. 
Here is the TE that solved my issue:
#--cut
module spacewalk-fix 1.1;

require {
	type osa_dispatcher_t;
	type tomcat_t;
	type spacewalk_log_t;
	type osad_exec_t;
	class dir { getattr search };
	class file { getattr open };
	class netlink_audit_socket { create nlmsg_relay read write };
}

#============= osa_dispatcher_t ==============
allow osa_dispatcher_t osad_exec_t:file getattr;

#============= tomcat_t ==============
allow tomcat_t self:netlink_audit_socket { create nlmsg_relay read write };
allow tomcat_t spacewalk_log_t:dir { getattr search };
allow tomcat_t spacewalk_log_t:file open;
#--cut

While it addresses two different issues, I believe the main problem was with "netlink_audit_socket"
Comment 1 Jacco Logtenberg 2017-10-02 10:42:27 UTC 
Same here, but I am using SSSD instead of Winbind:

# cat /etc/pam.d/rhn-satellite 
auth        required      pam_env.so
auth        sufficient    pam_sss.so no_user_check
auth        required      pam_deny.so
account     required      pam_sss.so no_user_check

# tail /var/log/secure
Oct  2 12:21:58 foohost java: pam_sss(rhn-satellite:auth): authentication success; logname= uid=91 euid=91 tty= ruser= rhost= user=pietjepuk
Oct  2 12:21:58 foohost java: PAM audit_open() failed: Permission denied
Oct  2 12:21:58 foohost java: PAM audit_open() failed: Permission denied
Comment 2 neile.havens 2018-01-17 23:09:07 UTC 
Same here with SSSD.

This looks to be a duplicate of https://bugzilla.redhat.com/show_b.ug.cgi?id=1517791
Comment 3 neile.havens 2018-01-17 23:10:53 UTC 
(In reply to neile.havens from comment #2)
> Same here with SSSD.
> 
> This looks to be a duplicate of
> https://bugzilla.redhat.com/show_b.ug.cgi?id=1517791

Sorry, incorrect link in my first comment. 
 Here's the correct link: https://bugzilla.redhat.com/show_bug.cgi?id=1517791
Comment 4 Tomáš Kašpárek 2018-03-26 08:04:21 UTC 
spacewalk.git(master): daf37e6008e2ddea13bc193c1d36a66dd88a87e8
Comment 5 Jiří Dostál 2018-03-26 12:17:03 UTC 
Moving ON_QA
Comment 6 Jiří Dostál 2018-04-20 12:32:22 UTC 
Spacewalk 2.8 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28
Note You need to log in before you can comment on or make changes to this bug.