CentOS 7.4, Spacewalk 2.7 and Reposync: Internal Server Error

After my last Spacewalk 2.7 installation I had the problem that synchronising repositories using the web interface failed with the following error:

Reposync error in Spacewalk 2.7 web interface

The system protocol (/var/log/messages) included the following finding:

Jan 24 21:02:13 st-spacewalk03 server: Caused by: java.lang.RuntimeException: File not found: /var/log/rhn/reposync/icinga2.log
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.common.util.FileUtils.readStringFromFile(FileUtils.java:101)
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.frontend.action.channel.manage.SyncRepositoriesAction.getLastSyncLog(SyncRepositoriesAction.java:215)
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.frontend.action.channel.manage.SyncRepositoriesAction.parseSyncLog(SyncRepositoriesAction.java:227)
Jan 24 21:02:13 st-spacewalk03 server: at com.redhat.rhn.frontend.action.channel.manage.SyncRepositoriesAction.execute(SyncRepositoriesAction.java:84)
Jan 24 21:02:13 st-spacewalk03 server: at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
Jan 24 21:02:13 st-spacewalk03 server: ... 45 more

Strangely, the file existed:

# cd /var/log/rhn
# ll -d reposync
drwxr-xr-x. 2 root apache 4096 18. Jan 23:21 reposync
# ll reposync
total 3244
-rw-rw----. 1 apache apache   94706 24. Jan 20:57 icinga2.log
-rw-rw----. 1 apache apache 3203348 24. Jan 20:57 opensuse-42.3.log
-rw-rw----. 1 apache apache    7915 24. Jan 20:50 spacewalk-27-client.log

Also, the log file’s SELinux type was noticeable:

# ll -Z /var/log/rhn/reposync
-rw-rw----. apache apache unconfined_u:object_r:unconfined_t:s0 icinga2.log
-rw-rw----. apache apache unconfined_u:object_r:unconfined_t:s0 opensuse-42.3.log
-rw-rw----. apache apache unconfined_u:object_r:unconfined_t:s0 spacewalk-27-client.log

Restoring the SELinux type changed it to spacewalk_log_t:

# restorecon -Rv /var/log/rhn/reposync
restorecon reset icinga2.log context unconfined_u:object_r:unconfined_t:s0->unconfined_u:object_r:spacewalk_log_t:s0
restorecon reset opensuse-42.3.log context unconfined_u:object_r:unconfined_t:s0->unconfined_u:object_r:spacewalk_log_t:s0
restorecon reset spacewalk-27-client.log context unconfined_u:object_r:unconfined_t:s0->unconfined_u:object_r:spacewalk_log_t:s0

Unfortunately, it didn’t fix the issue – time to have a deeper look at SELinux. With having SELinux disabled, synchronising repositories worked – like mentioned in a mailing list. Of course this cannot be considered as persistent solution – missing permissions can be fixed with a customised SELinux module. For creating a this module, I cleared the audit protocol before reloading the erroneous web site. In the next step, the protocol is read again to ensure that only the last missing permissions are documented in a module code draft (which is named reposync_tomcat in this case):

# > /var/log/audit/audit.log
# audit2why -i /var/log/audit/audit.log
type=AVC msg=audit(1516824133.699:59063): avc:  denied  { read } for  pid=3498 comm="java" name="icinga2.log" dev="dm-3" ino=2409 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:spacewalk_log_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
# audit2allow -i /var/log/audit/audit.log -m reposync_tomcat > reposync_tomcat.te

The module source code quickly showed that the Tomcat type lacks the permissions to read and write files of the spacewalk_log_t type:

# cat reposync_tomcat.te

module reposync_tomcat 1.0;

require {
        type tomcat_t;
        type spacewalk_log_t;
        class file { open read };
}

#============= tomcat_t ==============
allow tomcat_t spacewalk_log_t:file open;
allow tomcat_t spacewalk_log_t:file read;

For compiling the module, it might be necessary to install the policycoreutils-devel package:

# yum install policycoreutils-devel

Afterwards, the module can be compiled and installed like this:

# make -f /usr/share/selinux/devel/Makefile reposync_tomcat.pp
# semodule -i reposync_tomcat.pp

Using semodule it is possible to check whether the module has been loaded:

# semodule -l | grep reposync
reposync_tomcat 1.0

Tadaaa – working:

Reposync in Spacewalk 2.7 web interface

If you still have issues with syncing repositories, you might also want to enable the following SELinux setting (thanks to Rick from the comment section below):

# setsebool -P tomcat_read_rpm_db 1

Regarding this issue, there is also a bug in the Red Hat bug tracker: “1522939: Internal Server Error – Syncing Repos to Channel”.

6 comments Write a comment

    • Hey James,
      thanks for the feedback – glad to see that you managed to fix it.

      Also sounds kinda strange to me that this broken by default.

      Best wishes,
      Christian

  1. I had the same exact issue but I also did in addition to what the guy under you wrote at https://bugzilla.redhat.com/show_bug.cgi?id=1522939 which was I added the open and read permission as well.

    module reposync_tomcat 1.0;

    require {
    type tomcat_t;
    type spacewalk_log_t;
    class file { open read };
    }

    #============= tomcat_t ==============
    allow tomcat_t spacewalk_log_t:file open;
    allow tomcat_t spacewalk_log_t:file read;

Leave a Reply