CentOS 7.4, Spacewalk 2.7 and Reposync: Internal Server Error

After my last Spacewalk 2.7 installation I had the problem that synchronising repositories using the web interface failed with the following error:

Reposync error in Spacewalk 2.7 web interface

The system protocol (/var/log/messages) included the following finding:

Jan 24 21:02:13 st-spacewalk03 server: Caused by: java.lang.RuntimeException: File not found: /var/log/rhn/reposync/icinga2.log
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.common.util.FileUtils.readStringFromFile(FileUtils.java:101)
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.frontend.action.channel.manage.SyncRepositoriesAction.getLastSyncLog(SyncRepositoriesAction.java:215)
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.frontend.action.channel.manage.SyncRepositoriesAction.parseSyncLog(SyncRepositoriesAction.java:227)
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.frontend.action.channel.manage.SyncRepositoriesAction.execute(SyncRepositoriesAction.java:84)
Jan 24 21:02:13 st-spacewalk03 server: at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
Jan 24 21:02:13 st-spacewalk03 server: ... 45 more

Strangely, the file existed:

# cd /var/log/rhn
# ll -d reposync
drwxr-xr-x. 2 root apache 4096 18. Jan 23:21 reposync
# ll reposync
total 3244
-rw-rw----. 1 apache apache   94706 24. Jan 20:57 icinga2.log
-rw-rw----. 1 apache apache 3203348 24. Jan 20:57 opensuse-42.3.log
-rw-rw----. 1 apache apache    7915 24. Jan 20:50 spacewalk-27-client.log

Also, the log file’s SELinux type was noticeable:

# ll -Z /var/log/rhn/reposync
-rw-rw----. apache apache unconfined_u:object_r:unconfined_t:s0 icinga2.log
-rw-rw----. apache apache unconfined_u:object_r:unconfined_t:s0 opensuse-42.3.log
-rw-rw----. apache apache unconfined_u:object_r:unconfined_t:s0 spacewalk-27-client.log

Restoring the SELinux type changed it to spacewalk_log_t:

# restorecon -Rv /var/log/rhn/reposync
restorecon reset icinga2.log context unconfined_u:object_r:unconfined_t:s0->unconfined_u:object_r:spacewalk_log_t:s0
restorecon reset opensuse-42.3.log context unconfined_u:object_r:unconfined_t:s0->unconfined_u:object_r:spacewalk_log_t:s0
restorecon reset spacewalk-27-client.log context unconfined_u:object_r:unconfined_t:s0->unconfined_u:object_r:spacewalk_log_t:s0

Unfortunately, it didn’t fix the issue – time to have a deeper look at SELinux. With having SELinux disabled, synchronising repositories worked – like mentioned in a mailing list. Of course this cannot be considered as persistent solution – missing permissions can be fixed with a customised SELinux module. For creating a this module, I cleared the audit protocol before reloading the erroneous web site. In the next step, the protocol is read again to ensure that only the last missing permissions are documented in a module code draft (which is named reposync_tomcat in this case):

# > /var/log/audit/audit.log
# audit2why -i /var/log/audit/audit.log
type=AVC msg=audit(1516824133.699:59063): avc:  denied  { read } for  pid=3498 comm="java" name="icinga2.log" dev="dm-3" ino=2409 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:spacewalk_log_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
# audit2allow -i /var/log/audit/audit.log -m reposync_tomcat > reposync_tomcat.te

The module source code quickly showed that the Tomcat type lacks the permissions to read and write files of the spacewalk_log_t type:

# cat reposync_tomcat.te

module reposync_tomcat 1.0;

require {
        type tomcat_t;
        type spacewalk_log_t;
        class file { open read };
}

#============= tomcat_t ==============
allow tomcat_t spacewalk_log_t:file open;
allow tomcat_t spacewalk_log_t:file read;

For compiling the module, it might be necessary to install the policycoreutils-devel package:

# yum install policycoreutils-devel

Afterwards, the module can be compiled and installed like this:

# make -f /usr/share/selinux/devel/Makefile reposync_tomcat.pp
# semodule -i reposync_tomcat.pp

Using semodule it is possible to check whether the module has been loaded:

# semodule -l | grep reposync
reposync_tomcat 1.0

Tadaaa – working:

Reposync in Spacewalk 2.7 web interface

Zu der Thematik gibt es im Red Hat-Bugtracker auch schon einen Bug: “1522939: Internal Server Error – Syncing Repos to Channel”.

4 comments Write a comment

    • Hey James,
      thanks for the feedback – glad to see that you managed to fix it.

      Also sounds kinda strange to me that this broken by default.

      Best wishes,
      Christian

  1. I had the same exact issue but I also did in addition to what the guy under you wrote at https://bugzilla.redhat.com/show_bug.cgi?id=1522939 which was I added the open and read permission as well.

    module reposync_tomcat 1.0;

    require {
    type tomcat_t;
    type spacewalk_log_t;
    class file { open read };
    }

    #============= tomcat_t ==============
    allow tomcat_t spacewalk_log_t:file open;
    allow tomcat_t spacewalk_log_t:file read;

Leave a Reply