Bug 1496143 - Sync page returns ISE / missing SELinux rules for spacewalk_log_t
Summary: Sync page returns ISE / missing SELinux rules for spacewalk_log_t
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 2.7
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Tomáš Kašpárek
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
: 1497050 (view as bug list)
Depends On:
Blocks: space28
TreeView+ depends on / blocked
 
Reported: 2017-09-26 14:35 UTC by Michal Middleton
Modified: 2018-04-20 12:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-20 12:31:39 UTC


Attachments (Terms of Use)

Description Michal Middleton 2017-09-26 14:35:42 UTC
Description of problem:
Accessing Repositories / Sync page returns Internal Server Error

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install Spacewalk 2.7 on CentOS 7.4
2. Add a repo
3. Add a channel, link with existing repo
4. Go to Sync page (https://alnqa1swlk01.gdsxqa.int/rhn/channels/manage/Sync.do?cid=<repoid>) (page still works ok at this time)
5. Request a one time repo sync
6. Wait a few seconds for the sync to begin refresh. You will get ISE


Actual results:
Web server returns ISE

Expected results:
Get sync status

Additional info:
Found this message in Tomcat log (/var/log/tomcat/localhost.2017-09-26.log): 
Sep 26, 2017 2:27:05 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [action] in context with path [/rhn] threw exception [java.lang.RuntimeException: File not found: /var/log/rhn/reposync/test-channel1.log] with root cause
java.lang.RuntimeException: File not found: /var/log/rhn/reposync/test-channel1.log

I traced this problem to a missing SELinux rules. Here is a TE that solved this issue:

---cut---
module spacewalk-fix 1.3;

require {
	type tomcat_t;
	type spacewalk_log_t;
	class dir { getattr search };
	class file { getattr open read };
}

#============= tomcat_t ==============
allow tomcat_t spacewalk_log_t:dir { getattr search };
allow tomcat_t spacewalk_log_t:file { getattr open read };
---cut---

Comment 1 Jan Dobes 2017-10-27 12:31:25 UTC
*** Bug 1497050 has been marked as a duplicate of this bug. ***

Comment 2 John Paul 2017-12-21 08:16:18 UTC
Hi, 
I've a similar comportment.
I used "spacewalk-repo-sync -c <myrepo>" from command line to check if myrepo can be synchronized or not. In my case, it worked well but once I clicked on Sync to schedule the synchronisation, I got "Internal Server Error".

For now, I disable SElinux with setenforce O.

Comment 3 John Paul 2017-12-21 08:26:55 UTC
Thanks Michal for the fix, it works for me too.

Comment 4 Jiří Dostál 2018-03-26 14:10:11 UTC
Should be resolved by https://github.com/spacewalkproject/spacewalk/pull/631

Comment 5 Jiří Dostál 2018-04-20 12:31:39 UTC
Spacewalk 2.8 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28


Note You need to log in before you can comment on or make changes to this bug.