I'm setting up a dedicated database server, and since this will be a central service to my various web servers I wanted it to be as secure as possible...so I am leaving SELinux enabled. However I'm having trouble getting Apache to use mod_auth_pam. I also now can't get setroubleshootd working to send me notifications of the denials and provide tips to solve the problem.
The Apache service has this directive on the default vhost, ------------------- <Directory "/usr/share/phpMyAdmin"> AuthPAM_Enabled on AllowOverride None AuthName "HTTP Auth" AuthType basic require valid-user </Directory>
When I attempt to authenticate I noticed this in /var/log/secure -------------------- Nov 1 15:06:58 host httpd: PAM audit_open() failed: Permission denied
This is the entry from the audit log... ---------------- type=AVC msg=audit(1320178016.209:919): avc: denied { create } for pid=22689 comm="unix_chkpwd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102 pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=107 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1320178018.386:920): avc: denied { create } for pid=20102 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1320178018.386:920): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
As for setroubleshoot, I have a duplicate install working just fine on another server, or at least it was working. I'm worried updating to CR may have broken setroubleshootd. Mainly I'd like to know how to troubleshoot that application. Messagebus is running.
Running setroubleshootd yields these results... ------------------- # setroubleshootd -f -V 2011-11-01 15:11:53,919 [database.DEBUG] created new database: name=audit_listener, friendly_name=Audit Listener, filepath=/var/lib/setroubleshoot/audit_listener_database.xml 2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 compatible with current 3.0 version 2011-11-01 15:11:53,923 [plugin.DEBUG] load_plugins() names=['httpd_bad_labels', 'allow_saslauthd_read_shadow', 'tftpd_write_content', 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind', 'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw', 'allow_java_execstack', 'allow_httpd_sys_script_anon_write', 'samba_share', 'filesystem_associate', 'fcron_crond', 'inetd_bind_ports', 'named_write_master_zones', 'qemu_file_image', 'catchall', 'allow_mplayer_execstack', 'httpd_can_sendmail', 'httpd_enable_homedirs', 'wine', 'xen_image', 'secure_mode_policyload', 'allow_execmod', 'disable_ipv6', 'httpd_can_network_connect_db', 'sys_module', 'bind_ports', 'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data', 'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp', 'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write', 'device', 'catchall_boolean', 'automount_exec_config', 'leaks', 'setenforce', 'ftpd_is_daemon', 'allow_zebra_write_config', 'firefox', 'nfs_export_all_ro', 'httpd_enable_cgi', 'httpd_tty_comm', 'public_content', 'ftp_home_dir', 'prelink_mislabled', 'allow_execstack', 'spamd_enable_home_dirs', 'sshd_root', 'samba_share_nfs', 'httpd_builtin_scripting', 'allow_ftpd_full_access', 'default', 'allow_ftpd_use_nfs', 'samba_enable_home_dirs', 'restorecon', 'selinuxpolicy', 'pppd_can_insmod', 'allow_daemons_dump_core', 'httpd_write_content', 'allow_httpd_anon_write', 'secure_mode_insmod', 'kernel_modules', 'samba_export_all_ro', 'httpd_enable_ftp_server', 'allow_postfix_local_write_mail_spool', 'execute', 'privoxy_connect_any', 'use_nfs_home_dirs', 'allow_smbd_anon_write', 'sys_resource', 'allow_ftpd_use_cifs', 'connect_ports', 'swapfile', 'httpd_use_nfs', 'httpd_can_network_relay', 'allow_cvs_read_shadow', 'squid_connect_any', 'mounton', 'qemu_blk_image', 'user_tcp_server', 'restore_source_context'] 2011-11-01 15:11:53,923 [plugin.INFO] importing /usr/share/setroubleshoot/plugins/__init__ as plugins 2011-11-01 15:11:55,114 [avc.DEBUG] Number of Plugins = 90 2011-11-01 15:11:55,116 [communication.DEBUG] parse_socket_address_list: input='{unix}/var/run/setroubleshoot/setroubleshoot_server' 2011-11-01 15:11:55,117 [communication.DEBUG] parse_socket_address_list: {unix}/var/run/setroubleshoot/setroubleshoot_server --> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2011-11-01 15:11:55,118 [communication.DEBUG] new_listening_socket: {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2011-11-01 15:11:55,118 [server.INFO] creating system dbus: bus_name=org.fedoraproject.Setroubleshootd object_path=/org/fedoraproject/Setroubleshootd interface=org.fedoraproject.SetroubleshootdIface 2011-11-01 15:11:55,119 [server.DEBUG] dbus __init__ /org/fedoraproject/Setroubleshootd called 2011-11-01 15:12:05,119 [server.DEBUG] received signal=14 2011-11-01 15:12:05,119 [server.DEBUG] KeyboardInterrupt in RunFaultServer 2011-11-01 15:12:05,119 [database.DEBUG] writing database (/var/lib/setroubleshoot/audit_listener_database.xml) modified_count=0 ------------------------
I've found this resource, http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id..., but have no idea how to make that change or where that modification would go.
Please let me know what other information would be useful.
Thanks - Trey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/01/2011 04:16 PM, Trey Dockendorf wrote:
I'm setting up a dedicated database server, and since this will be a central service to my various web servers I wanted it to be as secure as possible...so I am leaving SELinux enabled. However I'm having trouble getting Apache to use mod_auth_pam. I also now can't get setroubleshootd working to send me notifications of the denials and provide tips to solve the problem.
The Apache service has this directive on the default vhost, ------------------- <Directory "/usr/share/phpMyAdmin"> AuthPAM_Enabled on AllowOverride None AuthName "HTTP Auth" AuthType basic require valid-user </Directory>
When I attempt to authenticate I noticed this in /var/log/secure -------------------- Nov 1 15:06:58 host httpd: PAM audit_open() failed: Permission denied
This is the entry from the audit log... ---------------- type=AVC msg=audit(1320178016.209:919): avc: denied { create } for pid=22689 comm="unix_chkpwd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102 pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=107 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1320178018.386:920): avc: denied { create } for pid=20102 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1320178018.386:920): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
As for setroubleshoot, I have a duplicate install working just fine on another server, or at least it was working. I'm worried updating to CR may have broken setroubleshootd. Mainly I'd like to know how to troubleshoot that application. Messagebus is running.
Running setroubleshootd yields these results... ------------------- # setroubleshootd -f -V 2011-11-01 15:11:53,919 [database.DEBUG] created new database: name=audit_listener, friendly_name=Audit Listener, filepath=/var/lib/setroubleshoot/audit_listener_database.xml 2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 compatible with current 3.0 version 2011-11-01 15:11:53,923 [plugin.DEBUG] load_plugins() names=['httpd_bad_labels', 'allow_saslauthd_read_shadow', 'tftpd_write_content', 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind', 'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw', 'allow_java_execstack', 'allow_httpd_sys_script_anon_write', 'samba_share', 'filesystem_associate', 'fcron_crond', 'inetd_bind_ports', 'named_write_master_zones', 'qemu_file_image', 'catchall', 'allow_mplayer_execstack', 'httpd_can_sendmail', 'httpd_enable_homedirs', 'wine', 'xen_image', 'secure_mode_policyload', 'allow_execmod', 'disable_ipv6', 'httpd_can_network_connect_db', 'sys_module', 'bind_ports', 'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data', 'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp', 'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write', 'device', 'catchall_boolean', 'automount_exec_config', 'leaks', 'setenforce', 'ftpd_is_daemon', 'allow_zebra_write_config', 'firefox', 'nfs_export_all_ro', 'httpd_enable_cgi', 'httpd_tty_comm', 'public_content', 'ftp_home_dir', 'prelink_mislabled', 'allow_execstack', 'spamd_enable_home_dirs', 'sshd_root', 'samba_share_nfs', 'httpd_builtin_scripting', 'allow_ftpd_full_access', 'default', 'allow_ftpd_use_nfs', 'samba_enable_home_dirs', 'restorecon', 'selinuxpolicy', 'pppd_can_insmod', 'allow_daemons_dump_core', 'httpd_write_content', 'allow_httpd_anon_write', 'secure_mode_insmod', 'kernel_modules', 'samba_export_all_ro', 'httpd_enable_ftp_server', 'allow_postfix_local_write_mail_spool', 'execute', 'privoxy_connect_any', 'use_nfs_home_dirs', 'allow_smbd_anon_write', 'sys_resource', 'allow_ftpd_use_cifs', 'connect_ports', 'swapfile', 'httpd_use_nfs', 'httpd_can_network_relay', 'allow_cvs_read_shadow', 'squid_connect_any', 'mounton', 'qemu_blk_image', 'user_tcp_server', 'restore_source_context'] 2011-11-01 15:11:53,923 [plugin.INFO] importing /usr/share/setroubleshoot/plugins/__init__ as plugins 2011-11-01 15:11:55,114 [avc.DEBUG] Number of Plugins = 90 2011-11-01 15:11:55,116 [communication.DEBUG] parse_socket_address_list: input='{unix}/var/run/setroubleshoot/setroubleshoot_server' 2011-11-01 15:11:55,117 [communication.DEBUG] parse_socket_address_list: {unix}/var/run/setroubleshoot/setroubleshoot_server --> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2011-11-01 15:11:55,118 [communication.DEBUG] new_listening_socket: {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2011-11-01 15:11:55,118 [server.INFO] creating system dbus: bus_name=org.fedoraproject.Setroubleshootd object_path=/org/fedoraproject/Setroubleshootd interface=org.fedoraproject.SetroubleshootdIface 2011-11-01 15:11:55,119 [server.DEBUG] dbus __init__ /org/fedoraproject/Setroubleshootd called 2011-11-01 15:12:05,119 [server.DEBUG] received signal=14 2011-11-01 15:12:05,119 [server.DEBUG] KeyboardInterrupt in RunFaultServer 2011-11-01 15:12:05,119 [database.DEBUG] writing database (/var/lib/setroubleshoot/audit_listener_database.xml) modified_count=0 ------------------------
I've found this resource, http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id...,
but have no idea how to make that change or where that modification would
go.
Please let me know what other information would be useful.
Thanks - Trey _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
Ah! I did not know about setsebool.
It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure...
Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treydock@TAMU.EDU) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock)
The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them.
Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem?
Thanks - Trey
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
(Accidentally sent as quote )
Ah! I did not know about setsebool.
It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure...
Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treydock@TAMU.EDU) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock)
The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them.
Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem?
Thanks - Trey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
(Accidentally sent as quote )
Ah! I did not know about setsebool.
It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure...
Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treydock@TAMU.EDU mailto:treydock@TAMU.EDU) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock)
The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them.
Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem?
Thanks - Trey
It was probably blocked by a dontaudit rule. semodule -DB will turn off dontaudit rules, but be prepared for a flood of useless avc's.
semodule -B
Turns it back on.
On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
(Accidentally sent as quote )
Ah! I did not know about setsebool.
It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure...
Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treydock@TAMU.EDU mailto:treydock@TAMU.EDU) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock)
The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them.
Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem?
Thanks - Trey
It was probably blocked by a dontaudit rule. semodule -DB will turn off dontaudit rules, but be prepared for a flood of useless avc's.
semodule -B
Turns it back on. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4GdOSPwmrU4Qez1ls QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8 =7Fou -----END PGP SIGNATURE-----
Sorry for the late reply...
I've disabled the dontaudits for now, hopefully that may shed some light on this.
Are there any other methods to debug or troubleshoot setroubleshootd? Or even to verify it's working? I'd like to rule out that the CR update is the culprit to this no longer sending emails on denials.
I also can't seem to get the sealert GUI to work over X11 forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally without any error message
The text version seems to work fine though. However I would really like the alerts via email as I begin to leave SELinux enabled on all new servers I provision, and force myself to learn this.
Thanks - Trey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/07/2011 03:23 PM, Trey Dockendorf wrote:
On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
Sorry for the late reply...
I've disabled the dontaudits for now, hopefully that may shed some light on this.
Are there any other methods to debug or troubleshoot setroubleshootd? Or even to verify it's working? I'd like to rule out that the CR update is the culprit to this no longer sending emails on denials.
I also can't seem to get the sealert GUI to work over X11 forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally without any error message
The text version seems to work fine though. However I would really like the alerts via email as I begin to leave SELinux enabled on all new servers I provision, and force myself to learn this.
Thanks - Trey
grep email /etc/setroubleshoot/setroubleshoot.conf
On Mon, Nov 7, 2011 at 3:02 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/07/2011 03:23 PM, Trey Dockendorf wrote:
On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
Sorry for the late reply...
I've disabled the dontaudits for now, hopefully that may shed some light on this.
Are there any other methods to debug or troubleshoot setroubleshootd? Or even to verify it's working? I'd like to rule out that the CR update is the culprit to this no longer sending emails on denials.
I also can't seem to get the sealert GUI to work over X11 forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally without any error message
The text version seems to work fine though. However I would really like the alerts via email as I begin to leave SELinux enabled on all new servers I provision, and force myself to learn this.
Thanks - Trey
grep email /etc/setroubleshoot/setroubleshoot.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk64R1AACgkQrlYvE4MpobMflwCgu1xX/ns76ypnuBkI0CUmOTZE W4gAnjey2F71uNUTN8b9jacOu1CXpuLL =lF+c -----END PGP SIGNATURE-----
This configuration is on my KVM server which is almost static...the host I began noticing this on has the same results from that command...
# grep email /etc/setroubleshoot/setroubleshoot.cfg [email] # recipients_filepath: Path name of file with email recipients. One address recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients # from_address: The From: email header # subject: The Subject: email header # categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui, # categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/07/2011 04:29 PM, Trey Dockendorf wrote:
On Mon, Nov 7, 2011 at 3:02 PM, Daniel J Walsh <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
On 11/07/2011 03:23 PM, Trey Dockendorf wrote:
On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh@redhat.com
<mailto:dwalsh@redhat.com mailto:dwalsh@redhat.com>> wrote:
On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
Do you have the
allow_httpd_mod_auth_pam
boolean turned on?
Sorry for the late reply...
I've disabled the dontaudits for now, hopefully that may shed some light on this.
Are there any other methods to debug or troubleshoot setroubleshootd? Or even to verify it's working? I'd like to rule out that the CR update is the culprit to this no longer sending emails on denials.
I also can't seem to get the sealert GUI to work over X11 forwarding. ----------- $ sealert -b -V 2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally without any error message
The text version seems to work fine though. However I would really like the alerts via email as I begin to leave SELinux enabled on all new servers I provision, and force myself to learn this.
Thanks - Trey
grep email /etc/setroubleshoot/setroubleshoot.conf
This configuration is on my KVM server which is almost static...the host I began noticing this on has the same results from that command...
# grep email /etc/setroubleshoot/setroubleshoot.cfg [email] # recipients_filepath: Path name of file with email recipients. One address recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients # from_address: The From: email header # subject: The Subject: email header # categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui, # categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui,
Sorry, I was trying to indicate that you can modify this file to setup setroubleshoot to send mail.
-
Daniel J Walsh -
Trey Dockendorf