Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1517791

Summary: AVC: Kerberos user cannot login to Spacewalk on RHEL 7
Product: [Community] Spacewalk Reporter: Ales Dujicek <adujicek>
Component: ServerAssignee: Tomáš Kašpárek <tkasparek>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satellite-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.7CC: neile.havens, ogajduse, wayne.johnson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-20 12:31:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1564160    

Description Ales Dujicek 2017-11-27 13:28:03 UTC
Description of problem:

Attempts to login with Kerberos user is somehow blocked by SELinux

# setenforce 1
# ./login.py 
...
xmlrpclib.Fault: <Fault 2950: 'redstone.xmlrpc.XmlRpcFault: Either the password or username is incorrect.'>

# setenforce 0
# ./login.py 
http://bkr-hv03-guest32.dsal.lab.eng.bos.redhat.com/rpc/api
20
2.8 nightly

# audit2allow -a
#============= tomcat_t ==============
allow tomcat_t self:netlink_audit_socket nlmsg_relay;


audit.log:
type=AVC msg=audit(1511788944.743:596): avc:  denied  { nlmsg_relay } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket



Version-Release number of selected component (if applicable):
spacewalk-java-2.8.41-1.el7.centos.noarch
spacewalk-backend-2.8.30-1.el7.centos.noarch
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-2.5-11.el7.x86_64
spacewalk-selinux-2.8.1-1.el7.centos.noarch
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
osa-dispatcher-selinux-5.11.98-1.el7.centos.noarch
libselinux-utils-2.5-11.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1. setup SW to work with Kerberos 
2. create Kerberos user in Spacewalk
3. try to login Kerberos user to SW 


login.py:

#!/usr/bin/python

import os
import xmlrpclib

RHN_SERVER = os.getenv('RHN_SERVER', 'localhost')
RHN_USER = os.getenv('RHN_USER', 'kerberosUser')
RHN_PASS = os.getenv('RHN_PASS', 'kerberosPasssword')

SATELLITE_URL = "http://%s/rpc/api" % RHN_SERVER

client = xmlrpclib.Server(SATELLITE_URL, verbose=0)
key = client.auth.login(RHN_USER, RHN_PASS)

print client.api.getVersion()
print client.api.systemVersion()

Comment 1 Ales Dujicek 2017-11-28 09:58:55 UTC
two more (they just were not logged before # semodule -DB)

type=AVC msg=audit(1511856215.524:825): avc:  denied  { read } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1511856025.396:807): avc:  denied  { write } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket

Comment 2 neile.havens 2018-01-17 23:21:13 UTC
Should the fix be in the spacewalk-selinux package?  Is it as simple as updating line 44 in /usr/share/doc/spacewalk-selinux-2.7.6/spacewalk.te and rebuilding /usr/share/selinux/*/spacewalk.pp?

# current line
allow tomcat_t self:netlink_audit_socket create;

# proposed line (credit to https://bugzilla.redhat.com/show_bug.cgi?id=1494675#c0)
allow tomcat_t self:netlink_audit_socket { create nlmsg_relay read write };

Comment 4 Tomáš Kašpárek 2018-03-26 08:04:14 UTC
spacewalk.git(master): daf37e6008e2ddea13bc193c1d36a66dd88a87e8

Comment 5 Jiří Dostál 2018-03-26 12:16:47 UTC
Moving ON_QA

Comment 6 Jiří Dostál 2018-04-20 12:31:57 UTC
Spacewalk 2.8 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28