-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
(Accidentally sent as quote )
Ah! I did not know about setsebool.
It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure...
Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treydock@TAMU.EDU mailto:treydock@TAMU.EDU) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock)
The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them.
Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem?
Thanks - Trey
It was probably blocked by a dontaudit rule. semodule -DB will turn off dontaudit rules, but be prepared for a flood of useless avc's.
semodule -B
Turns it back on.