Description of problem: PAM authentication no longer working for WebUI after upgrading to CentOS 7.4 Version-Release number of selected component (if applicable): 2.6 and 2.7 How reproducible: Steps to Reproduce: 1. We use winbind via PAM to allow AD login to our Spacewalk. After updating to centos 7.4 the AD login no longer works. Configuration: rhn.conf: "pam_auth_service = rhn-satellite" cat /etc/pam.d/rhn-satellite auth sufficient pam_winbind.so account sufficient pam_winbind.so password sufficient pam_winbind.so use_authtok 2. /var/log/messages: Sep 22 11:56:55 swlk01 java: pam_winbind(rhn-satellite:auth): getting password (0x00000000) Sep 22 11:56:55 swlk01 java: pam_winbind(rhn-satellite:auth): user 'me' granted access Sep 22 11:56:55 swlk01 java: PAM audit_open() failed: Permission denied Sep 22 11:56:55 swlk01 java: PAM audit_open() failed: Permission denied Actual results: AD login doesn't work Additional info: The issue (and solution) appears to be in SELinux. I was able to get everything working by creating my custom SELinux module. Here is the TE that solved my issue: #--cut module spacewalk-fix 1.1; require { type osa_dispatcher_t; type tomcat_t; type spacewalk_log_t; type osad_exec_t; class dir { getattr search }; class file { getattr open }; class netlink_audit_socket { create nlmsg_relay read write }; } #============= osa_dispatcher_t ============== allow osa_dispatcher_t osad_exec_t:file getattr; #============= tomcat_t ============== allow tomcat_t self:netlink_audit_socket { create nlmsg_relay read write }; allow tomcat_t spacewalk_log_t:dir { getattr search }; allow tomcat_t spacewalk_log_t:file open; #--cut While it addresses two different issues, I believe the main problem was with "netlink_audit_socket"
Same here, but I am using SSSD instead of Winbind: # cat /etc/pam.d/rhn-satellite auth required pam_env.so auth sufficient pam_sss.so no_user_check auth required pam_deny.so account required pam_sss.so no_user_check # tail /var/log/secure Oct 2 12:21:58 foohost java: pam_sss(rhn-satellite:auth): authentication success; logname= uid=91 euid=91 tty= ruser= rhost= user=pietjepuk Oct 2 12:21:58 foohost java: PAM audit_open() failed: Permission denied Oct 2 12:21:58 foohost java: PAM audit_open() failed: Permission denied
Same here with SSSD. This looks to be a duplicate of https://bugzilla.redhat.com/show_b.ug.cgi?id=1517791
(In reply to neile.havens from comment #2) > Same here with SSSD. > > This looks to be a duplicate of > https://bugzilla.redhat.com/show_b.ug.cgi?id=1517791 Sorry, incorrect link in my first comment. Here's the correct link: https://bugzilla.redhat.com/show_bug.cgi?id=1517791
spacewalk.git(master): daf37e6008e2ddea13bc193c1d36a66dd88a87e8
Moving ON_QA
Spacewalk 2.8 has been released. https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28