Re: SELinux and SETroubleshootd woes in CR

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/01/2011 09:12 PM, Trey Dockendorf wrote:
> >
> > Do you have the
> >
> >
> > allow_httpd_mod_auth_pam
> >
> > boolean turned on?
> >
> >
> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU
> > NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----
> >
> >
> > (Accidentally sent as quote )
> >
> > Ah! I did not know about setsebool.
> >
> > It's now not failing on SELinux (at least that I can tell).  Now I
> > get this in /var/log/secure...
> >
> > Nov  1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown
> > Nov  1 16:08:07 host unix_chkpwd[22541]: password check failed for
> > user (treydock) Nov  1 16:08:07 host httpd: pam_unix(httpd:auth):
> > authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
> > user=treydock Nov  1 16:08:07 host httpd: pam_krb5[8049]: error
> > reading keytab 'FILE:/etc/krb5.keytab' Nov  1 16:08:07 host httpd:
> > pam_krb5[8049]: TGT verified Nov  1 16:08:07 host httpd:
> > pam_krb5[8049]: authentication succeeds for 'treydock'
> > (treydock@xxxxxxxx <mailto:treydock@xxxxxxxx>) Nov  1 16:08:07 host
> > unix_chkpwd[22545]: could not obtain user info (treydock)
> >
> >
> > The keytab error is expected, because to authenticate with my
> > university's Kerberos system it's without adding my server to the
> > their databases.  I have other servers on CentOS 5 and 6 running
> > this just fine, so and right now SELinux is the only difference
> > between them.
> >
> > Also, I'm still concerned I never got an email from
> > setroubleshootd about the denials that are now fixed by using
> > setsebool.  Any steps I can take to troubleshoot the problem?
> >
> > Thanks - Trey
>
>
> It was probably blocked by a dontaudit rule.  semodule -DB will turn
> off dontaudit rules, but be prepared for a flood of useless avc's.
>
> semodule -B
>
> Turns it back on.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4GdOSPwmrU4Qez1ls
> QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8
> =7Fou
> -----END PGP SIGNATURE-----
>


Sorry for the late reply...

I've disabled the dontaudits for now, hopefully that may shed some light on
this.

Are there any other methods to debug or troubleshoot setroubleshootd?  Or
even to verify it's working?  I'd like to rule out that the CR update is
the culprit to this no longer sending emails on denials.

I also can't seem to get the sealert GUI to work over X11 forwarding.
-----------
$ sealert -b -V
2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus:
org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated
abnormally without any error message


The text version seems to work fine though.  However I would really like
the alerts via email as I begin to leave SELinux enabled on all new servers
I provision, and force myself to learn this.

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux