[CentOS] SELinux and SETroubleshootd woes in CR

Tue Nov 1 20:16:00 UTC 2011
Trey Dockendorf <treydock at gmail.com>

I'm setting up a dedicated database server, and since this will be a
central service to my various web servers I wanted it to be as secure as
possible...so I am leaving SELinux enabled.  However I'm having trouble
getting Apache to use mod_auth_pam.  I also now can't get setroubleshootd
working to send me notifications of the denials and provide tips to solve
the problem.

The Apache service has this directive on the default vhost,
-------------------
<Directory "/usr/share/phpMyAdmin">
        AuthPAM_Enabled on
        AllowOverride None
        AuthName "HTTP Auth"
        AuthType basic
        require valid-user
</Directory>

When I attempt to authenticate I noticed this in /var/log/secure
--------------------
Nov  1 15:06:58 host httpd: PAM audit_open() failed: Permission denied

This is the entry from the audit log...
----------------
type=AVC msg=audit(1320178016.209:919): avc:  denied  { create } for
 pid=22689 comm="unix_chkpwd" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178016.209:919): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102
pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=107 comm="unix_chkpwd" exe="/sbin/unix_chkpwd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1320178018.386:920): avc:  denied  { create } for
 pid=20102 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178018.386:920): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102
auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)


As for setroubleshoot, I have a duplicate install working just fine on
another server, or at least it was working.  I'm worried updating to CR may
have broken setroubleshootd.  Mainly I'd like to know how to troubleshoot
that application.  Messagebus is running.

Running setroubleshootd yields these results...
-------------------
# setroubleshootd -f -V
2011-11-01 15:11:53,919 [database.DEBUG] created new database:
name=audit_listener, friendly_name=Audit Listener,
filepath=/var/lib/setroubleshoot/audit_listener_database.xml
2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 compatible
with current 3.0 version
2011-11-01 15:11:53,923 [plugin.DEBUG] load_plugins()
names=['httpd_bad_labels', 'allow_saslauthd_read_shadow',
'tftpd_write_content', 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind',
'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw',
'allow_java_execstack', 'allow_httpd_sys_script_anon_write', 'samba_share',
'filesystem_associate', 'fcron_crond', 'inetd_bind_ports',
'named_write_master_zones', 'qemu_file_image', 'catchall',
'allow_mplayer_execstack', 'httpd_can_sendmail', 'httpd_enable_homedirs',
'wine', 'xen_image', 'secure_mode_policyload', 'allow_execmod',
'disable_ipv6', 'httpd_can_network_connect_db', 'sys_module', 'bind_ports',
'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data',
'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp',
'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write', 'device',
'catchall_boolean', 'automount_exec_config', 'leaks', 'setenforce',
'ftpd_is_daemon', 'allow_zebra_write_config', 'firefox',
'nfs_export_all_ro', 'httpd_enable_cgi', 'httpd_tty_comm',
'public_content', 'ftp_home_dir', 'prelink_mislabled', 'allow_execstack',
'spamd_enable_home_dirs', 'sshd_root', 'samba_share_nfs',
'httpd_builtin_scripting', 'allow_ftpd_full_access', 'default',
'allow_ftpd_use_nfs', 'samba_enable_home_dirs', 'restorecon',
'selinuxpolicy', 'pppd_can_insmod', 'allow_daemons_dump_core',
'httpd_write_content', 'allow_httpd_anon_write', 'secure_mode_insmod',
'kernel_modules', 'samba_export_all_ro', 'httpd_enable_ftp_server',
'allow_postfix_local_write_mail_spool', 'execute', 'privoxy_connect_any',
'use_nfs_home_dirs', 'allow_smbd_anon_write', 'sys_resource',
'allow_ftpd_use_cifs', 'connect_ports', 'swapfile', 'httpd_use_nfs',
'httpd_can_network_relay', 'allow_cvs_read_shadow', 'squid_connect_any',
'mounton', 'qemu_blk_image', 'user_tcp_server', 'restore_source_context']
2011-11-01 15:11:53,923 [plugin.INFO] importing
/usr/share/setroubleshoot/plugins/__init__ as plugins
2011-11-01 15:11:55,114 [avc.DEBUG] Number of Plugins = 90
2011-11-01 15:11:55,116 [communication.DEBUG] parse_socket_address_list:
input='{unix}/var/run/setroubleshoot/setroubleshoot_server'
2011-11-01 15:11:55,117 [communication.DEBUG] parse_socket_address_list:
{unix}/var/run/setroubleshoot/setroubleshoot_server -->
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [communication.DEBUG] new_listening_socket:
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [server.INFO] creating system dbus:
bus_name=org.fedoraproject.Setroubleshootd
object_path=/org/fedoraproject/Setroubleshootd
interface=org.fedoraproject.SetroubleshootdIface
2011-11-01 15:11:55,119 [server.DEBUG] dbus __init__
/org/fedoraproject/Setroubleshootd called
2011-11-01 15:12:05,119 [server.DEBUG] received signal=14
2011-11-01 15:12:05,119 [server.DEBUG] KeyboardInterrupt in RunFaultServer
2011-11-01 15:12:05,119 [database.DEBUG] writing database
(/var/lib/setroubleshoot/audit_listener_database.xml) modified_count=0
------------------------

I've found this resource,
http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4621954,
but have no idea how to make that change or where that modification would
go.

Please let me know what other information would be useful.

Thanks
- Trey