I'm setting up a dedicated database server, and since this will be a central service to my various web servers I wanted it to be as secure as possible...so I am leaving SELinux enabled. However I'm having trouble getting Apache to use mod_auth_pam. I also now can't get setroubleshootd working to send me notifications of the denials and provide tips to solve the problem.
The Apache service has this directive on the default vhost, ------------------- <Directory "/usr/share/phpMyAdmin"> AuthPAM_Enabled on AllowOverride None AuthName "HTTP Auth" AuthType basic require valid-user </Directory>
When I attempt to authenticate I noticed this in /var/log/secure -------------------- Nov 1 15:06:58 host httpd: PAM audit_open() failed: Permission denied
This is the entry from the audit log... ---------------- type=AVC msg=audit(1320178016.209:919): avc: denied { create } for pid=22689 comm="unix_chkpwd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102 pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=107 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1320178018.386:920): avc: denied { create } for pid=20102 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1320178018.386:920): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
As for setroubleshoot, I have a duplicate install working just fine on another server, or at least it was working. I'm worried updating to CR may have broken setroubleshootd. Mainly I'd like to know how to troubleshoot that application. Messagebus is running.
Running setroubleshootd yields these results... ------------------- # setroubleshootd -f -V 2011-11-01 15:11:53,919 [database.DEBUG] created new database: name=audit_listener, friendly_name=Audit Listener, filepath=/var/lib/setroubleshoot/audit_listener_database.xml 2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 compatible with current 3.0 version 2011-11-01 15:11:53,923 [plugin.DEBUG] load_plugins() names=['httpd_bad_labels', 'allow_saslauthd_read_shadow', 'tftpd_write_content', 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind', 'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw', 'allow_java_execstack', 'allow_httpd_sys_script_anon_write', 'samba_share', 'filesystem_associate', 'fcron_crond', 'inetd_bind_ports', 'named_write_master_zones', 'qemu_file_image', 'catchall', 'allow_mplayer_execstack', 'httpd_can_sendmail', 'httpd_enable_homedirs', 'wine', 'xen_image', 'secure_mode_policyload', 'allow_execmod', 'disable_ipv6', 'httpd_can_network_connect_db', 'sys_module', 'bind_ports', 'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data', 'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp', 'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write', 'device', 'catchall_boolean', 'automount_exec_config', 'leaks', 'setenforce', 'ftpd_is_daemon', 'allow_zebra_write_config', 'firefox', 'nfs_export_all_ro', 'httpd_enable_cgi', 'httpd_tty_comm', 'public_content', 'ftp_home_dir', 'prelink_mislabled', 'allow_execstack', 'spamd_enable_home_dirs', 'sshd_root', 'samba_share_nfs', 'httpd_builtin_scripting', 'allow_ftpd_full_access', 'default', 'allow_ftpd_use_nfs', 'samba_enable_home_dirs', 'restorecon', 'selinuxpolicy', 'pppd_can_insmod', 'allow_daemons_dump_core', 'httpd_write_content', 'allow_httpd_anon_write', 'secure_mode_insmod', 'kernel_modules', 'samba_export_all_ro', 'httpd_enable_ftp_server', 'allow_postfix_local_write_mail_spool', 'execute', 'privoxy_connect_any', 'use_nfs_home_dirs', 'allow_smbd_anon_write', 'sys_resource', 'allow_ftpd_use_cifs', 'connect_ports', 'swapfile', 'httpd_use_nfs', 'httpd_can_network_relay', 'allow_cvs_read_shadow', 'squid_connect_any', 'mounton', 'qemu_blk_image', 'user_tcp_server', 'restore_source_context'] 2011-11-01 15:11:53,923 [plugin.INFO] importing /usr/share/setroubleshoot/plugins/__init__ as plugins 2011-11-01 15:11:55,114 [avc.DEBUG] Number of Plugins = 90 2011-11-01 15:11:55,116 [communication.DEBUG] parse_socket_address_list: input='{unix}/var/run/setroubleshoot/setroubleshoot_server' 2011-11-01 15:11:55,117 [communication.DEBUG] parse_socket_address_list: {unix}/var/run/setroubleshoot/setroubleshoot_server --> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2011-11-01 15:11:55,118 [communication.DEBUG] new_listening_socket: {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2011-11-01 15:11:55,118 [server.INFO] creating system dbus: bus_name=org.fedoraproject.Setroubleshootd object_path=/org/fedoraproject/Setroubleshootd interface=org.fedoraproject.SetroubleshootdIface 2011-11-01 15:11:55,119 [server.DEBUG] dbus __init__ /org/fedoraproject/Setroubleshootd called 2011-11-01 15:12:05,119 [server.DEBUG] received signal=14 2011-11-01 15:12:05,119 [server.DEBUG] KeyboardInterrupt in RunFaultServer 2011-11-01 15:12:05,119 [database.DEBUG] writing database (/var/lib/setroubleshoot/audit_listener_database.xml) modified_count=0 ------------------------
I've found this resource, http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id..., but have no idea how to make that change or where that modification would go.
Please let me know what other information would be useful.
Thanks - Trey