Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1517791 - AVC: Kerberos user cannot login to Spacewalk on RHEL 7
Summary: AVC: Kerberos user cannot login to Spacewalk on RHEL 7
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 2.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomáš Kašpárek
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space28
TreeView+ depends on / blocked
 
Reported: 2017-11-27 13:28 UTC by Ales Dujicek
Modified: 2018-04-20 12:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-20 12:31:57 UTC


Attachments (Terms of Use)

Description Ales Dujicek 2017-11-27 13:28:03 UTC
Description of problem:

Attempts to login with Kerberos user is somehow blocked by SELinux

# setenforce 1
# ./login.py 
...
xmlrpclib.Fault: <Fault 2950: 'redstone.xmlrpc.XmlRpcFault: Either the password or username is incorrect.'>

# setenforce 0
# ./login.py 
http://bkr-hv03-guest32.dsal.lab.eng.bos.redhat.com/rpc/api
20
2.8 nightly

# audit2allow -a
#============= tomcat_t ==============
allow tomcat_t self:netlink_audit_socket nlmsg_relay;


audit.log:
type=AVC msg=audit(1511788944.743:596): avc:  denied  { nlmsg_relay } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket



Version-Release number of selected component (if applicable):
spacewalk-java-2.8.41-1.el7.centos.noarch
spacewalk-backend-2.8.30-1.el7.centos.noarch
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-2.5-11.el7.x86_64
spacewalk-selinux-2.8.1-1.el7.centos.noarch
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
osa-dispatcher-selinux-5.11.98-1.el7.centos.noarch
libselinux-utils-2.5-11.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1. setup SW to work with Kerberos 
2. create Kerberos user in Spacewalk
3. try to login Kerberos user to SW 


login.py:

#!/usr/bin/python

import os
import xmlrpclib

RHN_SERVER = os.getenv('RHN_SERVER', 'localhost')
RHN_USER = os.getenv('RHN_USER', 'kerberosUser')
RHN_PASS = os.getenv('RHN_PASS', 'kerberosPasssword')

SATELLITE_URL = "http://%s/rpc/api" % RHN_SERVER

client = xmlrpclib.Server(SATELLITE_URL, verbose=0)
key = client.auth.login(RHN_USER, RHN_PASS)

print client.api.getVersion()
print client.api.systemVersion()

Comment 1 Ales Dujicek 2017-11-28 09:58:55 UTC
two more (they just were not logged before # semodule -DB)

type=AVC msg=audit(1511856215.524:825): avc:  denied  { read } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1511856025.396:807): avc:  denied  { write } for  pid=23475 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket

Comment 2 neile.havens 2018-01-17 23:21:13 UTC
Should the fix be in the spacewalk-selinux package?  Is it as simple as updating line 44 in /usr/share/doc/spacewalk-selinux-2.7.6/spacewalk.te and rebuilding /usr/share/selinux/*/spacewalk.pp?

# current line
allow tomcat_t self:netlink_audit_socket create;

# proposed line (credit to https://bugzilla.redhat.com/show_bug.cgi?id=1494675#c0)
allow tomcat_t self:netlink_audit_socket { create nlmsg_relay read write };

Comment 4 Tomáš Kašpárek 2018-03-26 08:04:14 UTC
spacewalk.git(master): daf37e6008e2ddea13bc193c1d36a66dd88a87e8

Comment 5 Jiří Dostál 2018-03-26 12:16:47 UTC
Moving ON_QA

Comment 6 Jiří Dostál 2018-04-20 12:31:57 UTC
Spacewalk 2.8 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes28


Note You need to log in before you can comment on or make changes to this bug.