On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
(Accidentally sent as quote )
Ah! I did not know about setsebool.
It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure...
Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treydock@TAMU.EDU mailto:treydock@TAMU.EDU) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock)
The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them.
Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem?
Thanks - Trey
It was probably blocked by a dontaudit rule. semodule -DB will turn off dontaudit rules, but be prepared for a flood of useless avc's.
semodule -B
Turns it back on. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4GdOSPwmrU4Qez1ls QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8 =7Fou -----END PGP SIGNATURE-----
Sorry for the late reply...
I've disabled the dontaudits for now, hopefully that may shed some light on this.
Are there any other methods to debug or troubleshoot setroubleshootd? Or even to verify it's working? I'd like to rule out that the CR update is the culprit to this no longer sending emails on denials.
I also can't seem to get the sealert GUI to work over X11 forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally without any error message
The text version seems to work fine though. However I would really like the alerts via email as I begin to leave SELinux enabled on all new servers I provision, and force myself to learn this.
Thanks - Trey