[CentOS] SELinux and SETroubleshootd woes in CR

Wed Nov 2 13:54:42 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
> 
> Do you have the
> 
> 
> allow_httpd_mod_auth_pam
> 
> boolean turned on?
> 
> 
> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) 
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU 
> NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
> 
> 
> (Accidentally sent as quote )
> 
> Ah! I did not know about setsebool.
> 
> It's now not failing on SELinux (at least that I can tell).  Now I
> get this in /var/log/secure...
> 
> Nov  1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown 
> Nov  1 16:08:07 host unix_chkpwd[22541]: password check failed for
> user (treydock) Nov  1 16:08:07 host httpd: pam_unix(httpd:auth):
> authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
> user=treydock Nov  1 16:08:07 host httpd: pam_krb5[8049]: error
> reading keytab 'FILE:/etc/krb5.keytab' Nov  1 16:08:07 host httpd:
> pam_krb5[8049]: TGT verified Nov  1 16:08:07 host httpd:
> pam_krb5[8049]: authentication succeeds for 'treydock'
> (treydock at TAMU.EDU <mailto:treydock at TAMU.EDU>) Nov  1 16:08:07 host
> unix_chkpwd[22545]: could not obtain user info (treydock)
> 
> 
> The keytab error is expected, because to authenticate with my 
> university's Kerberos system it's without adding my server to the
> their databases.  I have other servers on CentOS 5 and 6 running
> this just fine, so and right now SELinux is the only difference
> between them.
> 
> Also, I'm still concerned I never got an email from
> setroubleshootd about the denials that are now fixed by using
> setsebool.  Any steps I can take to troubleshoot the problem?
> 
> Thanks - Trey


It was probably blocked by a dontaudit rule.  semodule -DB will turn
off dontaudit rules, but be prepared for a flood of useless avc's.

semodule -B

Turns it back on.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4GdOSPwmrU4Qez1ls
QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8
=7Fou
-----END PGP SIGNATURE-----