FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-01-2011, 07:16 PM
Trey Dockendorf
 
Default SELinux and SETroubleshootd woes in CR

I'm setting up a dedicated database server, and since this will be a
central service to my various web servers I wanted it to be as secure as
possible...so I am leaving SELinux enabled. However I'm having trouble
getting Apache to use mod_auth_pam. I also now can't get setroubleshootd
working to send me notifications of the denials and provide tips to solve
the problem.

The Apache service has this directive on the default vhost,
-------------------
<Directory "/usr/share/phpMyAdmin">
AuthPAM_Enabled on
AllowOverride None
AuthName "HTTP Auth"
AuthType basic
require valid-user
</Directory>

When I attempt to authenticate I noticed this in /var/log/secure
--------------------
Nov 1 15:06:58 host httpd: PAM audit_open() failed: Permission denied

This is the entry from the audit log...
----------------
type=AVC msg=audit(1320178016.209:919): avc: denied { create } for
pid=22689 comm="unix_chkpwd" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178016.209:919): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102
pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=107 comm="unix_chkpwd" exe="/sbin/unix_chkpwd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1320178018.386:920): avc: denied { create } for
pid=20102 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178018.386:920): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102
auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)


As for setroubleshoot, I have a duplicate install working just fine on
another server, or at least it was working. I'm worried updating to CR may
have broken setroubleshootd. Mainly I'd like to know how to troubleshoot
that application. Messagebus is running.

Running setroubleshootd yields these results...
-------------------
# setroubleshootd -f -V
2011-11-01 15:11:53,919 [database.DEBUG] created new database:
name=audit_listener, friendly_name=Audit Listener,
filepath=/var/lib/setroubleshoot/audit_listener_database.xml
2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 compatible
with current 3.0 version
2011-11-01 15:11:53,923 [plugin.DEBUG] load_plugins()
names=['httpd_bad_labels', 'allow_saslauthd_read_shadow',
'tftpd_write_content', 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind',
'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw',
'allow_java_execstack', 'allow_httpd_sys_script_anon_write', 'samba_share',
'filesystem_associate', 'fcron_crond', 'inetd_bind_ports',
'named_write_master_zones', 'qemu_file_image', 'catchall',
'allow_mplayer_execstack', 'httpd_can_sendmail', 'httpd_enable_homedirs',
'wine', 'xen_image', 'secure_mode_policyload', 'allow_execmod',
'disable_ipv6', 'httpd_can_network_connect_db', 'sys_module', 'bind_ports',
'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data',
'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp',
'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write', 'device',
'catchall_boolean', 'automount_exec_config', 'leaks', 'setenforce',
'ftpd_is_daemon', 'allow_zebra_write_config', 'firefox',
'nfs_export_all_ro', 'httpd_enable_cgi', 'httpd_tty_comm',
'public_content', 'ftp_home_dir', 'prelink_mislabled', 'allow_execstack',
'spamd_enable_home_dirs', 'sshd_root', 'samba_share_nfs',
'httpd_builtin_scripting', 'allow_ftpd_full_access', 'default',
'allow_ftpd_use_nfs', 'samba_enable_home_dirs', 'restorecon',
'selinuxpolicy', 'pppd_can_insmod', 'allow_daemons_dump_core',
'httpd_write_content', 'allow_httpd_anon_write', 'secure_mode_insmod',
'kernel_modules', 'samba_export_all_ro', 'httpd_enable_ftp_server',
'allow_postfix_local_write_mail_spool', 'execute', 'privoxy_connect_any',
'use_nfs_home_dirs', 'allow_smbd_anon_write', 'sys_resource',
'allow_ftpd_use_cifs', 'connect_ports', 'swapfile', 'httpd_use_nfs',
'httpd_can_network_relay', 'allow_cvs_read_shadow', 'squid_connect_any',
'mounton', 'qemu_blk_image', 'user_tcp_server', 'restore_source_context']
2011-11-01 15:11:53,923 [plugin.INFO] importing
/usr/share/setroubleshoot/plugins/__init__ as plugins
2011-11-01 15:11:55,114 [avc.DEBUG] Number of Plugins = 90
2011-11-01 15:11:55,116 [communication.DEBUG] parse_socket_address_list:
input='{unix}/var/run/setroubleshoot/setroubleshoot_server'
2011-11-01 15:11:55,117 [communication.DEBUG] parse_socket_address_list:
{unix}/var/run/setroubleshoot/setroubleshoot_server -->
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [communication.DEBUG] new_listening_socket:
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [server.INFO] creating system dbus:
bus_name=org.fedoraproject.Setroubleshootd
object_path=/org/fedoraproject/Setroubleshootd
interface=org.fedoraproject.SetroubleshootdIface
2011-11-01 15:11:55,119 [server.DEBUG] dbus __init__
/org/fedoraproject/Setroubleshootd called
2011-11-01 15:12:05,119 [server.DEBUG] received signal=14
2011-11-01 15:12:05,119 [server.DEBUG] KeyboardInterrupt in RunFaultServer
2011-11-01 15:12:05,119 [database.DEBUG] writing database
(/var/lib/setroubleshoot/audit_listener_database.xml) modified_count=0
------------------------

I've found this resource,
http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4621954,
but have no idea how to make that change or where that modification would
go.

Please let me know what other information would be useful.

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-01-2011, 07:24 PM
Daniel J Walsh
 
Default SELinux and SETroubleshootd woes in CR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2011 04:16 PM, Trey Dockendorf wrote:
> I'm setting up a dedicated database server, and since this will be
> a central service to my various web servers I wanted it to be as
> secure as possible...so I am leaving SELinux enabled. However I'm
> having trouble getting Apache to use mod_auth_pam. I also now
> can't get setroubleshootd working to send me notifications of the
> denials and provide tips to solve the problem.
>
> The Apache service has this directive on the default vhost,
> ------------------- <Directory "/usr/share/phpMyAdmin">
> AuthPAM_Enabled on AllowOverride None AuthName "HTTP Auth" AuthType
> basic require valid-user </Directory>
>
> When I attempt to authenticate I noticed this in /var/log/secure
> -------------------- Nov 1 15:06:58 host httpd: PAM audit_open()
> failed: Permission denied
>
> This is the entry from the audit log... ---------------- type=AVC
> msg=audit(1320178016.209:919): avc: denied { create } for
> pid=22689 comm="unix_chkpwd"
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket type=SYSCALL
> msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no
> exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102
> pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48 fsgid=48 tty=(none) ses=107 comm="unix_chkpwd"
> exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:httpd_t:s0
> key=(null) type=AVC msg=audit(1320178018.386:920): avc: denied {
> create } for pid=20102 comm="httpd"
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket type=SYSCALL
> msg=audit(1320178018.386:920): arch=c000003e syscall=41 success=no
> exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102 auid=500
> uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
> As for setroubleshoot, I have a duplicate install working just fine
> on another server, or at least it was working. I'm worried
> updating to CR may have broken setroubleshootd. Mainly I'd like to
> know how to troubleshoot that application. Messagebus is running.
>
> Running setroubleshootd yields these results...
> ------------------- # setroubleshootd -f -V 2011-11-01 15:11:53,919
> [database.DEBUG] created new database: name=audit_listener,
> friendly_name=Audit Listener,
> filepath=/var/lib/setroubleshoot/audit_listener_database.xml
> 2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0
> compatible with current 3.0 version 2011-11-01 15:11:53,923
> [plugin.DEBUG] load_plugins() names=['httpd_bad_labels',
> 'allow_saslauthd_read_shadow', 'tftpd_write_content',
> 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind',
> 'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw',
> 'allow_java_execstack', 'allow_httpd_sys_script_anon_write',
> 'samba_share', 'filesystem_associate', 'fcron_crond',
> 'inetd_bind_ports', 'named_write_master_zones', 'qemu_file_image',
> 'catchall', 'allow_mplayer_execstack', 'httpd_can_sendmail',
> 'httpd_enable_homedirs', 'wine', 'xen_image',
> 'secure_mode_policyload', 'allow_execmod', 'disable_ipv6',
> 'httpd_can_network_connect_db', 'sys_module', 'bind_ports',
> 'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data',
> 'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp',
> 'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write',
> 'device', 'catchall_boolean', 'automount_exec_config', 'leaks',
> 'setenforce', 'ftpd_is_daemon', 'allow_zebra_write_config',
> 'firefox', 'nfs_export_all_ro', 'httpd_enable_cgi',
> 'httpd_tty_comm', 'public_content', 'ftp_home_dir',
> 'prelink_mislabled', 'allow_execstack', 'spamd_enable_home_dirs',
> 'sshd_root', 'samba_share_nfs', 'httpd_builtin_scripting',
> 'allow_ftpd_full_access', 'default', 'allow_ftpd_use_nfs',
> 'samba_enable_home_dirs', 'restorecon', 'selinuxpolicy',
> 'pppd_can_insmod', 'allow_daemons_dump_core',
> 'httpd_write_content', 'allow_httpd_anon_write',
> 'secure_mode_insmod', 'kernel_modules', 'samba_export_all_ro',
> 'httpd_enable_ftp_server', 'allow_postfix_local_write_mail_spool',
> 'execute', 'privoxy_connect_any', 'use_nfs_home_dirs',
> 'allow_smbd_anon_write', 'sys_resource', 'allow_ftpd_use_cifs',
> 'connect_ports', 'swapfile', 'httpd_use_nfs',
> 'httpd_can_network_relay', 'allow_cvs_read_shadow',
> 'squid_connect_any', 'mounton', 'qemu_blk_image',
> 'user_tcp_server', 'restore_source_context'] 2011-11-01
> 15:11:53,923 [plugin.INFO] importing
> /usr/share/setroubleshoot/plugins/__init__ as plugins 2011-11-01
> 15:11:55,114 [avc.DEBUG] Number of Plugins = 90 2011-11-01
> 15:11:55,116 [communication.DEBUG] parse_socket_address_list:
> input='{unix}/var/run/setroubleshoot/setroubleshoot_server'
> 2011-11-01 15:11:55,117 [communication.DEBUG]
> parse_socket_address_list:
> {unix}/var/run/setroubleshoot/setroubleshoot_server -->
> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
> 2011-11-01 15:11:55,118 [communication.DEBUG]
> new_listening_socket:
> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
> 2011-11-01 15:11:55,118 [server.INFO] creating system dbus:
> bus_name=org.fedoraproject.Setroubleshootd
> object_path=/org/fedoraproject/Setroubleshootd
> interface=org.fedoraproject.SetroubleshootdIface 2011-11-01
> 15:11:55,119 [server.DEBUG] dbus __init__
> /org/fedoraproject/Setroubleshootd called 2011-11-01 15:12:05,119
> [server.DEBUG] received signal=14 2011-11-01 15:12:05,119
> [server.DEBUG] KeyboardInterrupt in RunFaultServer 2011-11-01
> 15:12:05,119 [database.DEBUG] writing database
> (/var/lib/setroubleshoot/audit_listener_database.xml)
> modified_count=0 ------------------------
>
> I've found this resource,
> http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4621954,
>
>
but have no idea how to make that change or where that modification would
> go.
>
> Please let me know what other information would be useful.
>
> Thanks - Trey _______________________________________________
> CentOS mailing list CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

Do you have the


allow_httpd_mod_auth_pam

boolean turned on?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ2 0iBhAQnCoTvZVU
NfUAoLz5TplWxxflLWscqc7Vc7RHahvj
=UYqX
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-01-2011, 08:14 PM
Trey Dockendorf
 
Default SELinux and SETroubleshootd woes in CR

>
> Do you have the
>
>
> allow_httpd_mod_auth_pam
>
> boolean turned on?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ2 0iBhAQnCoTvZVU
> NfUAoLz5TplWxxflLWscqc7Vc7RHahvj
> =UYqX
> -----END PGP SIGNATURE-----
>

Ah! I did not know about setsebool.

It's now not failing on SELinux (at least that I can tell). Now I get this
in /var/log/secure...

Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown
Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user
(treydock)
Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure;
logname= uid=48 euid=48 tty= ruser= rhost= user=treydock
Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab
'FILE:/etc/krb5.keytab'
Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified
Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for
'treydock' (treydock@TAMU.EDU)
Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info
(treydock)


The keytab error is expected, because to authenticate with my university's
Kerberos system it's without adding my server to the their databases. I
have other servers on CentOS 5 and 6 running this just fine, so and right
now SELinux is the only difference between them.

Also, I'm still concerned I never got an email from setroubleshootd about
the denials that are now fixed by using setsebool. Any steps I can take to
troubleshoot the problem?

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-02-2011, 12:12 AM
Trey Dockendorf
 
Default SELinux and SETroubleshootd woes in CR

>
>
Do you have the
>
>
> allow_httpd_mod_auth_pam
>
> boolean turned on?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ2 0iBhAQnCoTvZVU
> NfUAoLz5TplWxxflLWscqc7Vc7RHahvj
> =UYqX
> -----END PGP SIGNATURE-----
>

(Accidentally sent as quote )

Ah! I did not know about setsebool.

It's now not failing on SELinux (at least that I can tell). Now I get this
in /var/log/secure...

Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown
Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user
(treydock)
Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure;
logname= uid=48 euid=48 tty= ruser= rhost= user=treydock
Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab
'FILE:/etc/krb5.keytab'
Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified
Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for
'treydock' (treydock@TAMU.EDU)
Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info
(treydock)


The keytab error is expected, because to authenticate with my university's
Kerberos system it's without adding my server to the their databases. I
have other servers on CentOS 5 and 6 running this just fine, so and right
now SELinux is the only difference between them.

Also, I'm still concerned I never got an email from setroubleshootd about
the denials that are now fixed by using setsebool. Any steps I can take to
troubleshoot the problem?

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-02-2011, 12:54 PM
Daniel J Walsh
 
Default SELinux and SETroubleshootd woes in CR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
>
> Do you have the
>
>
> allow_httpd_mod_auth_pam
>
> boolean turned on?
>
>
> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ2 0iBhAQnCoTvZVU
> NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
>
>
> (Accidentally sent as quote )
>
> Ah! I did not know about setsebool.
>
> It's now not failing on SELinux (at least that I can tell). Now I
> get this in /var/log/secure...
>
> Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown
> Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for
> user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth):
> authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
> user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error
> reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd:
> pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd:
> pam_krb5[8049]: authentication succeeds for 'treydock'
> (treydock@TAMU.EDU <mailto:treydock@TAMU.EDU>) Nov 1 16:08:07 host
> unix_chkpwd[22545]: could not obtain user info (treydock)
>
>
> The keytab error is expected, because to authenticate with my
> university's Kerberos system it's without adding my server to the
> their databases. I have other servers on CentOS 5 and 6 running
> this just fine, so and right now SELinux is the only difference
> between them.
>
> Also, I'm still concerned I never got an email from
> setroubleshootd about the denials that are now fixed by using
> setsebool. Any steps I can take to troubleshoot the problem?
>
> Thanks - Trey


It was probably blocked by a dontaudit rule. semodule -DB will turn
off dontaudit rules, but be prepared for a flood of useless avc's.

semodule -B

Turns it back on.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4Gd OSPwmrU4Qez1ls
QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8
=7Fou
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-07-2011, 07:23 PM
Trey Dockendorf
 
Default SELinux and SETroubleshootd woes in CR

On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
> >
> > Do you have the
> >
> >
> > allow_httpd_mod_auth_pam
> >
> > boolean turned on?
> >
> >
> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ2 0iBhAQnCoTvZVU
> > NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
> >
> >
> > (Accidentally sent as quote )
> >
> > Ah! I did not know about setsebool.
> >
> > It's now not failing on SELinux (at least that I can tell). Now I
> > get this in /var/log/secure...
> >
> > Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown
> > Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for
> > user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth):
> > authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
> > user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error
> > reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd:
> > pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd:
> > pam_krb5[8049]: authentication succeeds for 'treydock'
> > (treydock@TAMU.EDU <mailto:treydock@TAMU.EDU>) Nov 1 16:08:07 host
> > unix_chkpwd[22545]: could not obtain user info (treydock)
> >
> >
> > The keytab error is expected, because to authenticate with my
> > university's Kerberos system it's without adding my server to the
> > their databases. I have other servers on CentOS 5 and 6 running
> > this just fine, so and right now SELinux is the only difference
> > between them.
> >
> > Also, I'm still concerned I never got an email from
> > setroubleshootd about the denials that are now fixed by using
> > setsebool. Any steps I can take to troubleshoot the problem?
> >
> > Thanks - Trey
>
>
> It was probably blocked by a dontaudit rule. semodule -DB will turn
> off dontaudit rules, but be prepared for a flood of useless avc's.
>
> semodule -B
>
> Turns it back on.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4Gd OSPwmrU4Qez1ls
> QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8
> =7Fou
> -----END PGP SIGNATURE-----
>


Sorry for the late reply...

I've disabled the dontaudits for now, hopefully that may shed some light on
this.

Are there any other methods to debug or troubleshoot setroubleshootd? Or
even to verify it's working? I'd like to rule out that the CR update is
the culprit to this no longer sending emails on denials.

I also can't seem to get the sealert GUI to work over X11 forwarding.
-----------
$ sealert -b -V
2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus:
org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated
abnormally without any error message


The text version seems to work fine though. However I would really like
the alerts via email as I begin to leave SELinux enabled on all new servers
I provision, and force myself to learn this.

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-07-2011, 08:02 PM
Daniel J Walsh
 
Default SELinux and SETroubleshootd woes in CR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/07/2011 03:23 PM, Trey Dockendorf wrote:
>
>
> On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
>
>> Do you have the
>
>
>> allow_httpd_mod_auth_pam
>
>> boolean turned on?
>
>
>>

>
>
>
> Sorry for the late reply...
>
> I've disabled the dontaudits for now, hopefully that may shed some
> light on this.
>
> Are there any other methods to debug or troubleshoot
> setroubleshootd? Or even to verify it's working? I'd like to rule
> out that the CR update is the culprit to this no longer sending
> emails on denials.
>
> I also can't seem to get the sealert GUI to work over X11
> forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507
> [dbus.ERROR] could not start dbus:
> org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch
> terminated abnormally without any error message
>
>
> The text version seems to work fine though. However I would really
> like the alerts via email as I begin to leave SELinux enabled on
> all new servers I provision, and force myself to learn this.
>
> Thanks - Trey

grep email /etc/setroubleshoot/setroubleshoot.conf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk64R1AACgkQrlYvE4MpobMflwCgu1xX/ns76ypnuBkI0CUmOTZE
W4gAnjey2F71uNUTN8b9jacOu1CXpuLL
=lF+c
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-07-2011, 08:29 PM
Trey Dockendorf
 
Default SELinux and SETroubleshootd woes in CR

On Mon, Nov 7, 2011 at 3:02 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/07/2011 03:23 PM, Trey Dockendorf wrote:
> >
> >
> > On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh@redhat.com
> > <mailto:dwalsh@redhat.com>> wrote:
> >
> > On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
> >
> >> Do you have the
> >
> >
> >> allow_httpd_mod_auth_pam
> >
> >> boolean turned on?
> >
> >
> >>
>
> >
> >
> >
> > Sorry for the late reply...
> >
> > I've disabled the dontaudits for now, hopefully that may shed some
> > light on this.
> >
> > Are there any other methods to debug or troubleshoot
> > setroubleshootd? Or even to verify it's working? I'd like to rule
> > out that the CR update is the culprit to this no longer sending
> > emails on denials.
> >
> > I also can't seem to get the sealert GUI to work over X11
> > forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507
> > [dbus.ERROR] could not start dbus:
> > org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch
> > terminated abnormally without any error message
> >
> >
> > The text version seems to work fine though. However I would really
> > like the alerts via email as I begin to leave SELinux enabled on
> > all new servers I provision, and force myself to learn this.
> >
> > Thanks - Trey
>
> grep email /etc/setroubleshoot/setroubleshoot.conf
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk64R1AACgkQrlYvE4MpobMflwCgu1xX/ns76ypnuBkI0CUmOTZE
> W4gAnjey2F71uNUTN8b9jacOu1CXpuLL
> =lF+c
> -----END PGP SIGNATURE-----
>

This configuration is on my KVM server which is almost static...the host I
began noticing this on has the same results from that command...

# grep email /etc/setroubleshoot/setroubleshoot.cfg
[email]
# recipients_filepath: Path name of file with email recipients. One address
recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients
# from_address: The From: email header
# subject: The Subject: email header
# categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui,
# categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui,
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-07-2011, 08:46 PM
Daniel J Walsh
 
Default SELinux and SETroubleshootd woes in CR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/07/2011 04:29 PM, Trey Dockendorf wrote:
>
>
> On Mon, Nov 7, 2011 at 3:02 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 11/07/2011 03:23 PM, Trey Dockendorf wrote:
>
>
>> On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh
>> <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>
>> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote:
>
>> On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
>
>>> Do you have the
>
>
>>> allow_httpd_mod_auth_pam
>
>>> boolean turned on?
>
>
>>>
>
>
>
>
>> Sorry for the late reply...
>
>> I've disabled the dontaudits for now, hopefully that may shed
>> some light on this.
>
>> Are there any other methods to debug or troubleshoot
>> setroubleshootd? Or even to verify it's working? I'd like to
>> rule out that the CR update is the culprit to this no longer
>> sending emails on denials.
>
>> I also can't seem to get the sealert GUI to work over X11
>> forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507
>> [dbus.ERROR] could not start dbus:
>> org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch
>> terminated abnormally without any error message
>
>
>> The text version seems to work fine though. However I would
>> really like the alerts via email as I begin to leave SELinux
>> enabled on all new servers I provision, and force myself to learn
>> this.
>
>> Thanks - Trey
>
> grep email /etc/setroubleshoot/setroubleshoot.conf
>
>
> This configuration is on my KVM server which is almost static...the
> host I began noticing this on has the same results from that
> command...
>
> # grep email /etc/setroubleshoot/setroubleshoot.cfg [email] #
> recipients_filepath: Path name of file with email recipients. One
> address recipients_filepath =
> /var/lib/setroubleshoot/email_alert_recipients # from_address: The
> From: email header # subject: The Subject: email header #
> categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email,
> gui, # categories is: [rpc, xml, cfg, alert, sig, plugin, avc,
> email, gui,
>

Sorry, I was trying to indicate that you can modify this file to setup
setroubleshoot to send mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk64UZsACgkQrlYvE4MpobO6ugCg043lNaaA2o V9wyEJIpcqTxk/
NVcAnjCrXjXins6VVONeCaxwYX9hnGtd
=j+J+
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org