[Spacewalk-list] CentOS 6.6 upgrade breaks osad on SW 2.1 clients that have SELinux in enforcing mode

Stuart Green stuart.green at doccentrics.com
Fri Nov 14 15:21:06 UTC 2014 

Found a public bug report, not sure  much attention 'medium' severity gets?
https://bugzilla.redhat.com/show_bug.cgi?id=1161288

On 14/11/2014 15:15, Stuart Green wrote:
> 
> Many thanks for highlighting the work around, bit of a nightmare bug
> this when the client boxes are not remote executable!
> 
> I assume if satellite support are working on it, theres a internal
> redhat internal view only bug?
> 
> On 13/11/2014 18:59, Andy Ingham wrote:
>> Scratch that last post.  :)
>>
>> I think I'm mistaken, and the setting WILL persist across reboots ...
>>
>> Andy
>>
>> From: Andy Ingham <andy.ingham at duke.edu<mailto:andy.ingham at duke.edu>>
>> Reply-To: "spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>" <spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>>
>> Date: Thursday, November 13, 2014 at 1:38 PM
>> To: "spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>" <spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>>
>> Subject: Re: [Spacewalk-list] CentOS 6.6 upgrade breaks osad on SW 2.1 clients that have SELinux in enforcing mode
>>
>> This is a fine workaround EXCEPT be aware that it does NOT persist across reboots.
>>
>> That is, you'll have to re-run the command after every reboot.  (I'm hoping someone can indicate that I'm wrong on this, but I don't see a "persistent" option for that command).
>>
>> Andy
>>
>> From: ndegz <nndegz at gmail.com<mailto:nndegz at gmail.com>>
>> Reply-To: "nndegz+list at gmail.com<mailto:nndegz+list at gmail.com>" <nndegz+list at gmail.com<mailto:nndegz+list at gmail.com>>, "spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>" <spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>>
>> Date: Friday, November 7, 2014 at 3:18 PM
>> To: "spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>" <spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>>
>> Subject: Re: [Spacewalk-list] CentOS 6.6 upgrade breaks osad on SW 2.1 clients that have SELinux in enforcing mode
>>
>> Ran into the same issue and found this blog post
>> Short tip: osad: Unable to connect to the host and port specified (EL6.6 + EL7)<http://blog.christian-stankowic.de/?p=6341&lang=en>
>>
>> semanage permissive -a osad_t
>>
>>
>>
>>
>> On Thu, Nov 6, 2014 at 12:59 PM, Kevin Sandy <kevin at digitallotus.com<mailto:kevin at digitallotus.com>> wrote:
>> I've been seeing this as well.  Clients are on CentOS 6.6 with Spacewalk 2.2.  I've had to put SELinux in permissive mode for now.
>>
>>
>> -- kevin
>>
>>
>>
>> On Nov 6, 2014, at 12:48 PM, Andy Ingham <andy.ingham at duke.edu<mailto:andy.ingham at duke.edu>> wrote:
>>
>> Ever since updating from CentOS 6.5 > 6.6, my servers (which are all at
>> spacewalk client version 2.1) are showing:
>>
>>
>> +++++++++++++++++++++++++
>> SELinux is preventing /usr/bin/python from name_connect access on the
>> tcp_socket .
>>
>> *****  Plugin catchall (100. confidence) suggests
>> ***************************
>>
>> If you believe that python should be allowed name_connect access on the
>> tcp_socket by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep osad /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>> +++++++++++++++++++++++++
>>
>>
>>
>>
>>
>> And FWIW, attempting to mitigate by adding a local policy (as the above
>> notice instructs) ALSO FAILS:
>>
>> [root at HOSTNAME local_policy]# semodule -i osad.pp
>> libsepol.print_missing_requirements: osad's global requirements were not
>> met: type/attribute osad_t (No such file or directory).
>> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
>> directory).
>> semodule:  Failed!
>>
>>
>>
>>
>>
>> Is this a known issue?
>>
>>
>> Andy
>>
>> Andy Ingham
>> IT Infrastructure
>> Fuqua School of Business
>> Duke University
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>>
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20141114/e89134d0/attachment.sig>

More information about the Spacewalk-list mailing list