[CentOS] SELinux and SETroubleshootd woes in CR
Trey Dockendorf
treydock at gmail.com
Mon Nov 7 20:23:57 UTC 2011
On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
> >
> > Do you have the
> >
> >
> > allow_httpd_mod_auth_pam
> >
> > boolean turned on?
> >
> >
> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU
> > NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
> >
> >
> > (Accidentally sent as quote )
> >
> > Ah! I did not know about setsebool.
> >
> > It's now not failing on SELinux (at least that I can tell). Now I
> > get this in /var/log/secure...
> >
> > Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown
> > Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for
> > user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth):
> > authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
> > user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error
> > reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd:
> > pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd:
> > pam_krb5[8049]: authentication succeeds for 'treydock'
> > (treydock at TAMU.EDU <mailto:treydock at TAMU.EDU>) Nov 1 16:08:07 host
> > unix_chkpwd[22545]: could not obtain user info (treydock)
> >
> >
> > The keytab error is expected, because to authenticate with my
> > university's Kerberos system it's without adding my server to the
> > their databases. I have other servers on CentOS 5 and 6 running
> > this just fine, so and right now SELinux is the only difference
> > between them.
> >
> > Also, I'm still concerned I never got an email from
> > setroubleshootd about the denials that are now fixed by using
> > setsebool. Any steps I can take to troubleshoot the problem?
> >
> > Thanks - Trey
>
>
> It was probably blocked by a dontaudit rule. semodule -DB will turn
> off dontaudit rules, but be prepared for a flood of useless avc's.
>
> semodule -B
>
> Turns it back on.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4GdOSPwmrU4Qez1ls
> QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8
> =7Fou
> -----END PGP SIGNATURE-----
>
Sorry for the late reply...
I've disabled the dontaudits for now, hopefully that may shed some light on
this.
Are there any other methods to debug or troubleshoot setroubleshootd? Or
even to verify it's working? I'd like to rule out that the CR update is
the culprit to this no longer sending emails on denials.
I also can't seem to get the sealert GUI to work over X11 forwarding.
-----------
$ sealert -b -V
2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus:
org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated
abnormally without any error message
The text version seems to work fine though. However I would really like
the alerts via email as I begin to leave SELinux enabled on all new servers
I provision, and force myself to learn this.
Thanks
- Trey
More information about the CentOS
mailing list