Description of problem: Attempts to login with Kerberos user is somehow blocked by SELinux # setenforce 1 # ./login.py ... xmlrpclib.Fault: <Fault 2950: 'redstone.xmlrpc.XmlRpcFault: Either the password or username is incorrect.'> # setenforce 0 # ./login.py http://bkr-hv03-guest32.dsal.lab.eng.bos.redhat.com/rpc/api 20 2.8 nightly # audit2allow -a #============= tomcat_t ============== allow tomcat_t self:netlink_audit_socket nlmsg_relay; audit.log: type=AVC msg=audit(1511788944.743:596): avc: denied { nlmsg_relay } for pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket Version-Release number of selected component (if applicable): spacewalk-java-2.8.41-1.el7.centos.noarch spacewalk-backend-2.8.30-1.el7.centos.noarch libselinux-python-2.5-11.el7.x86_64 selinux-policy-3.13.1-166.el7_4.7.noarch libselinux-2.5-11.el7.x86_64 spacewalk-selinux-2.8.1-1.el7.centos.noarch selinux-policy-targeted-3.13.1-166.el7_4.7.noarch osa-dispatcher-selinux-5.11.98-1.el7.centos.noarch libselinux-utils-2.5-11.el7.x86_64 How reproducible: always Steps to Reproduce: 1. setup SW to work with Kerberos 2. create Kerberos user in Spacewalk 3. try to login Kerberos user to SW login.py: #!/usr/bin/python import os import xmlrpclib RHN_SERVER = os.getenv('RHN_SERVER', 'localhost') RHN_USER = os.getenv('RHN_USER', 'kerberosUser') RHN_PASS = os.getenv('RHN_PASS', 'kerberosPasssword') SATELLITE_URL = "http://%s/rpc/api" % RHN_SERVER client = xmlrpclib.Server(SATELLITE_URL, verbose=0) key = client.auth.login(RHN_USER, RHN_PASS) print client.api.getVersion() print client.api.systemVersion()
two more (they just were not logged before # semodule -DB) type=AVC msg=audit(1511856215.524:825): avc: denied { read } for pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1511856025.396:807): avc: denied { write } for pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
Should the fix be in the spacewalk-selinux package? Is it as simple as updating line 44 in /usr/share/doc/spacewalk-selinux-2.7.6/spacewalk.te and rebuilding /usr/share/selinux/*/spacewalk.pp? # current line allow tomcat_t self:netlink_audit_socket create; # proposed line (credit to https://bugzilla.redhat.com/show_bug.cgi?id=1494675#c0) allow tomcat_t self:netlink_audit_socket { create nlmsg_relay read write };
spacewalk.git(master): daf37e6008e2ddea13bc193c1d36a66dd88a87e8
Moving ON_QA
Spacewalk 2.8 has been released. https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28