Bug 1517791 - AVC: Kerberos user cannot login to Spacewalk on RHEL 7
Summary: AVC: Kerberos user cannot login to Spacewalk on RHEL 7
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 2.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomáš Kašpárek
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space28
TreeView+ depends on / blocked
 
Reported: 2017-11-27 13:28 UTC by Ales Dujicek
Modified: 2018-04-20 12:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-20 12:31:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Ales Dujicek 2017-11-27 13:28:03 UTC 
Description of problem:

Attempts to login with Kerberos user is somehow blocked by SELinux

# setenforce 1
# ./login.py 
...
xmlrpclib.Fault: <Fault 2950: 'redstone.xmlrpc.XmlRpcFault: Either the password or username is incorrect.'>

# setenforce 0
# ./login.py 
http://bkr-hv03-guest32.dsal.lab.eng.bos.redhat.com/rpc/api
20
2.8 nightly

# audit2allow -a
#============= tomcat_t ==============
allow tomcat_t self:netlink_audit_socket nlmsg_relay;


audit.log:
type=AVC msg=audit(1511788944.743:596): avc:  denied  { nlmsg_relay } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket



Version-Release number of selected component (if applicable):
spacewalk-java-2.8.41-1.el7.centos.noarch
spacewalk-backend-2.8.30-1.el7.centos.noarch
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-2.5-11.el7.x86_64
spacewalk-selinux-2.8.1-1.el7.centos.noarch
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
osa-dispatcher-selinux-5.11.98-1.el7.centos.noarch
libselinux-utils-2.5-11.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1. setup SW to work with Kerberos 
2. create Kerberos user in Spacewalk
3. try to login Kerberos user to SW 


login.py:

#!/usr/bin/python

import os
import xmlrpclib

RHN_SERVER = os.getenv('RHN_SERVER', 'localhost')
RHN_USER = os.getenv('RHN_USER', 'kerberosUser')
RHN_PASS = os.getenv('RHN_PASS', 'kerberosPasssword')

SATELLITE_URL = "http://%s/rpc/api" % RHN_SERVER

client = xmlrpclib.Server(SATELLITE_URL, verbose=0)
key = client.auth.login(RHN_USER, RHN_PASS)

print client.api.getVersion()
print client.api.systemVersion()
Comment 1 Ales Dujicek 2017-11-28 09:58:55 UTC 
two more (they just were not logged before # semodule -DB)

type=AVC msg=audit(1511856215.524:825): avc:  denied  { read } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1511856025.396:807): avc:  denied  { write } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
Comment 2 neile.havens 2018-01-17 23:21:13 UTC 
Should the fix be in the spacewalk-selinux package?  Is it as simple as updating line 44 in /usr/share/doc/spacewalk-selinux-2.7.6/spacewalk.te and rebuilding /usr/share/selinux/*/spacewalk.pp?

# current line
allow tomcat_t self:netlink_audit_socket create;

# proposed line (credit to https://bugzilla.redhat.com/show_bug.cgi?id=1494675#c0)
allow tomcat_t self:netlink_audit_socket { create nlmsg_relay read write };
Comment 4 Tomáš Kašpárek 2018-03-26 08:04:14 UTC 
spacewalk.git(master): daf37e6008e2ddea13bc193c1d36a66dd88a87e8
Comment 5 Jiří Dostál 2018-03-26 12:16:47 UTC 
Moving ON_QA
Comment 6 Jiří Dostál 2018-04-20 12:31:57 UTC 
Spacewalk 2.8 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28
Note You need to log in before you can comment on or make changes to this bug.