Description of problem: When running API kickstart.snippet.listDefault, it produces AVC on server side and produces "xmlrpc.client.Fault: <Fault -1: 'redstone.xmlrpc.XmlRpcFault: unhandled internal exception: null'>" on client side. Version-Release number of selected component (if applicable): # rpm -qa | grep selinux libselinux-python-2.5-12.el7.x86_64 libselinux-utils-2.5-12.el7.x86_64 libselinux-2.5-12.el7.x86_64 osa-dispatcher-selinux-5.11.98-1.el7.centos.noarch selinux-policy-3.13.1-183.el7.noarch spacewalk-selinux-2.8.2-1.el7.centos.noarch selinux-policy-targeted-3.13.1-183.el7.noarch # rpm -q spacewalk-java spacewalk-java-2.8.49-1.el7.centos.noarch How reproducible: always Steps to Reproduce: 1. call API kickstart.snippet.listDefault Actual results: It results in AVC and causes an exception. Expected results: No AVC and no exception. Tomcat? probably should have access to /var/lib/cobbler/snippets. Additional info: [root@bkr-hv03-guest04 simpleTestApi]# sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b13.el7.x86_64/jre/bin/java from read access on the directory /var/lib/cobbler/snippets. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that java should be allowed read access on the snippets directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'java' --raw | audit2allow -M my-java # semodule -i my-java.pp Additional Information: Source Context system_u:system_r:tomcat_t:s0 Target Context system_u:object_r:cobbler_var_lib_t:s0 Target Objects /var/lib/cobbler/snippets [ dir ] Source java Source Path /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b13.el 7.x86_64/jre/bin/java Port <Unknown> Host <Unknown> Source RPM Packages java-1.8.0-openjdk- headless-1.8.0.151-5.b13.el7.x86_64 Target RPM Packages spacewalk-config-2.8.2-1.el7.centos.noarch cobbler20-2.0.11-74.el7.centos.noarch Policy RPM selinux-policy-3.13.1-183.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name bkr-hv03-guest04.dsal.lab.eng.bos.redhat.com Platform Linux bkr-hv03-guest04.dsal.lab.eng.bos.redhat.com 3.10.0-823.el7.x86_64 #1 SMP Wed Dec 13 21:17:45 EST 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-12-19 05:12:29 EST Last Seen 2017-12-19 05:12:29 EST Local ID 66fbe3a9-28b1-439e-82bf-20c5ee83d177 Raw Audit Messages type=AVC msg=audit(1513678349.811:1097): avc: denied { read } for pid=30858 comm="java" name="snippets" dev="dm-0" ino=34969923 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1513678349.811:1097): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f46b4019a00 a2=90800 a3=0 items=0 ppid=1 pid=30858 auid=4294967295 uid=53 gid=53 euid=53 suid=53 fsuid=53 egid=53 sgid=53 fsgid=53 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b13.el7.x86_64/jre/bin/java subj=system_u:system_r:tomcat_t:s0 key=(null) Hash: java,tomcat_t,cobbler_var_lib_t,dir,read ################################################# Issue resolved by following sealert instructions. Reproducer is in automation: /CoreOS/RHN-Satellite/FrontendAPI/Sanity/simpleTestApi
Fixed in spacewalk git by commit 66e3ace3eb6fee864017abdca18d5e26ee2e3ca1 1527380 - allow tomcat to read cobbler data
Spacewalk 2.9 has been released. https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes29