thr3ads.net - CentOS - [CentOS] SELinux and SETroubleshootd woes in CR [Nov 2011]

If this information is useful, please help other people find it:
Share via:

Trey Dockendorf

2011-Nov-01 20:16 UTC

[CentOS] SELinux and SETroubleshootd woes in CR

I'm setting up a dedicated database server, and since this will be a
central service to my various web servers I wanted it to be as secure as
possible...so I am leaving SELinux enabled.  However I'm having trouble
getting Apache to use mod_auth_pam.  I also now can't get setroubleshootd
working to send me notifications of the denials and provide tips to solve
the problem.

The Apache service has this directive on the default vhost,
-------------------
<Directory "/usr/share/phpMyAdmin">
        AuthPAM_Enabled on
        AllowOverride None
        AuthName "HTTP Auth"
        AuthType basic
        require valid-user
</Directory>

When I attempt to authenticate I noticed this in /var/log/secure
--------------------
Nov  1 15:06:58 host httpd: PAM audit_open() failed: Permission denied

This is the entry from the audit log...
----------------
type=AVC msg=audit(1320178016.209:919): avc:  denied  { create } for
 pid=22689 comm="unix_chkpwd"
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178016.209:919): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102
pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=107 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1320178018.386:920): avc:  denied  { create } for
 pid=20102 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178018.386:920): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102
auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)


As for setroubleshoot, I have a duplicate install working just fine on
another server, or at least it was working.  I'm worried updating to CR may
have broken setroubleshootd.  Mainly I'd like to know how to troubleshoot
that application.  Messagebus is running.

Running setroubleshootd yields these results...
-------------------
# setroubleshootd -f -V
2011-11-01 15:11:53,919 [database.DEBUG] created new database:
name=audit_listener, friendly_name=Audit Listener,
filepath=/var/lib/setroubleshoot/audit_listener_database.xml
2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 compatible
with current 3.0 version
2011-11-01 15:11:53,923 [plugin.DEBUG] load_plugins()
names=['httpd_bad_labels', 'allow_saslauthd_read_shadow',
'tftpd_write_content', 'allow_nfsd_anon_write',
'vbetool', 'allow_ypbind',
'httpd_use_cifs', 'file', 'allow_execheap',
'nfs_export_all_rw',
'allow_java_execstack', 'allow_httpd_sys_script_anon_write',
'samba_share',
'filesystem_associate', 'fcron_crond',
'inetd_bind_ports',
'named_write_master_zones', 'qemu_file_image',
'catchall',
'allow_mplayer_execstack', 'httpd_can_sendmail',
'httpd_enable_homedirs',
'wine', 'xen_image', 'secure_mode_policyload',
'allow_execmod',
'disable_ipv6', 'httpd_can_network_connect_db',
'sys_module', 'bind_ports',
'samba_export_all_rw', 'use_samba_home_dirs',
'rsync_data',
'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero',
'global_ssp',
'allow_rsync_anon_write', 'cvs_data',
'allow_ftpd_anon_write', 'device',
'catchall_boolean', 'automount_exec_config', 'leaks',
'setenforce',
'ftpd_is_daemon', 'allow_zebra_write_config', 'firefox',
'nfs_export_all_ro', 'httpd_enable_cgi',
'httpd_tty_comm',
'public_content', 'ftp_home_dir', 'prelink_mislabled',
'allow_execstack',
'spamd_enable_home_dirs', 'sshd_root',
'samba_share_nfs',
'httpd_builtin_scripting', 'allow_ftpd_full_access',
'default',
'allow_ftpd_use_nfs', 'samba_enable_home_dirs',
'restorecon',
'selinuxpolicy', 'pppd_can_insmod',
'allow_daemons_dump_core',
'httpd_write_content', 'allow_httpd_anon_write',
'secure_mode_insmod',
'kernel_modules', 'samba_export_all_ro',
'httpd_enable_ftp_server',
'allow_postfix_local_write_mail_spool', 'execute',
'privoxy_connect_any',
'use_nfs_home_dirs', 'allow_smbd_anon_write',
'sys_resource',
'allow_ftpd_use_cifs', 'connect_ports', 'swapfile',
'httpd_use_nfs',
'httpd_can_network_relay', 'allow_cvs_read_shadow',
'squid_connect_any',
'mounton', 'qemu_blk_image', 'user_tcp_server',
'restore_source_context']
2011-11-01 15:11:53,923 [plugin.INFO] importing
/usr/share/setroubleshoot/plugins/__init__ as plugins
2011-11-01 15:11:55,114 [avc.DEBUG] Number of Plugins = 90
2011-11-01 15:11:55,116 [communication.DEBUG] parse_socket_address_list:
input='{unix}/var/run/setroubleshoot/setroubleshoot_server'
2011-11-01 15:11:55,117 [communication.DEBUG] parse_socket_address_list:
{unix}/var/run/setroubleshoot/setroubleshoot_server -->
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [communication.DEBUG] new_listening_socket:
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [server.INFO] creating system dbus:
bus_name=org.fedoraproject.Setroubleshootd
object_path=/org/fedoraproject/Setroubleshootd
interface=org.fedoraproject.SetroubleshootdIface
2011-11-01 15:11:55,119 [server.DEBUG] dbus __init__
/org/fedoraproject/Setroubleshootd called
2011-11-01 15:12:05,119 [server.DEBUG] received signal=14
2011-11-01 15:12:05,119 [server.DEBUG] KeyboardInterrupt in RunFaultServer
2011-11-01 15:12:05,119 [database.DEBUG] writing database
(/var/lib/setroubleshoot/audit_listener_database.xml) modified_count=0
------------------------

I've found this resource,
http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4621954,
but have no idea how to make that change or where that modification would
go.

Please let me know what other information would be useful.

Thanks
- Trey

Daniel J Walsh

2011-Nov-01 20:24 UTC

head link

[CentOS] SELinux and SETroubleshootd woes in CR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2011 04:16 PM, Trey Dockendorf wrote:> I'm setting up a dedicated database server, and since this will be
> a central service to my various web servers I wanted it to be as
> secure as possible...so I am leaving SELinux enabled.  However I'm
> having trouble getting Apache to use mod_auth_pam.  I also now
> can't get setroubleshootd working to send me notifications of the
> denials and provide tips to solve the problem.
> 
> The Apache service has this directive on the default vhost, 
> ------------------- <Directory "/usr/share/phpMyAdmin"> 
> AuthPAM_Enabled on AllowOverride None AuthName "HTTP Auth"
AuthType
> basic require valid-user </Directory>
> 
> When I attempt to authenticate I noticed this in /var/log/secure 
> -------------------- Nov  1 15:06:58 host httpd: PAM audit_open()
> failed: Permission denied
> 
> This is the entry from the audit log... ---------------- type=AVC
> msg=audit(1320178016.209:919): avc:  denied  { create } for 
> pid=22689 comm="unix_chkpwd"
> scontext=unconfined_u:system_r:httpd_t:s0 
> tcontext=unconfined_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket type=SYSCALL
> msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no
> exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102 
> pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48 fsgid=48 tty=(none) ses=107 comm="unix_chkpwd"
> exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:httpd_t:s0
> key=(null) type=AVC msg=audit(1320178018.386:920): avc:  denied  {
> create } for pid=20102 comm="httpd"
> scontext=unconfined_u:system_r:httpd_t:s0 
> tcontext=unconfined_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket type=SYSCALL
> msg=audit(1320178018.386:920): arch=c000003e syscall=41 success=no
> exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102 auid=500
> uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 
> tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd" 
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
> 
> 
> As for setroubleshoot, I have a duplicate install working just fine
> on another server, or at least it was working.  I'm worried
> updating to CR may have broken setroubleshootd.  Mainly I'd like to
> know how to troubleshoot that application.  Messagebus is running.
> 
> Running setroubleshootd yields these results... 
> ------------------- # setroubleshootd -f -V 2011-11-01 15:11:53,919
> [database.DEBUG] created new database: name=audit_listener,
> friendly_name=Audit Listener, 
> filepath=/var/lib/setroubleshoot/audit_listener_database.xml 
> 2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0
> compatible with current 3.0 version 2011-11-01 15:11:53,923
> [plugin.DEBUG] load_plugins() names=['httpd_bad_labels',
> 'allow_saslauthd_read_shadow', 'tftpd_write_content',
> 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind',
> 'httpd_use_cifs', 'file', 'allow_execheap',
'nfs_export_all_rw',
> 'allow_java_execstack',
'allow_httpd_sys_script_anon_write',
> 'samba_share', 'filesystem_associate',
'fcron_crond',
> 'inetd_bind_ports', 'named_write_master_zones',
'qemu_file_image',
> 'catchall', 'allow_mplayer_execstack',
'httpd_can_sendmail',
> 'httpd_enable_homedirs', 'wine', 'xen_image',
> 'secure_mode_policyload', 'allow_execmod',
'disable_ipv6',
> 'httpd_can_network_connect_db', 'sys_module',
'bind_ports',
> 'samba_export_all_rw', 'use_samba_home_dirs',
'rsync_data',
> 'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero',
'global_ssp',
> 'allow_rsync_anon_write', 'cvs_data',
'allow_ftpd_anon_write',
> 'device', 'catchall_boolean',
'automount_exec_config', 'leaks',
> 'setenforce', 'ftpd_is_daemon',
'allow_zebra_write_config',
> 'firefox', 'nfs_export_all_ro', 'httpd_enable_cgi',
> 'httpd_tty_comm', 'public_content', 'ftp_home_dir',
> 'prelink_mislabled', 'allow_execstack',
'spamd_enable_home_dirs',
> 'sshd_root', 'samba_share_nfs',
'httpd_builtin_scripting',
> 'allow_ftpd_full_access', 'default',
'allow_ftpd_use_nfs',
> 'samba_enable_home_dirs', 'restorecon',
'selinuxpolicy',
> 'pppd_can_insmod', 'allow_daemons_dump_core', 
> 'httpd_write_content', 'allow_httpd_anon_write',
> 'secure_mode_insmod', 'kernel_modules',
'samba_export_all_ro',
> 'httpd_enable_ftp_server',
'allow_postfix_local_write_mail_spool',
> 'execute', 'privoxy_connect_any',
'use_nfs_home_dirs',
> 'allow_smbd_anon_write', 'sys_resource',
'allow_ftpd_use_cifs',
> 'connect_ports', 'swapfile', 'httpd_use_nfs', 
> 'httpd_can_network_relay', 'allow_cvs_read_shadow',
> 'squid_connect_any', 'mounton', 'qemu_blk_image',
> 'user_tcp_server', 'restore_source_context'] 2011-11-01
> 15:11:53,923 [plugin.INFO] importing 
> /usr/share/setroubleshoot/plugins/__init__ as plugins 2011-11-01
> 15:11:55,114 [avc.DEBUG] Number of Plugins = 90 2011-11-01
> 15:11:55,116 [communication.DEBUG] parse_socket_address_list: 
> input='{unix}/var/run/setroubleshoot/setroubleshoot_server' 
> 2011-11-01 15:11:55,117 [communication.DEBUG]
> parse_socket_address_list: 
> {unix}/var/run/setroubleshoot/setroubleshoot_server --> 
> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 
> 2011-11-01 15:11:55,118 [communication.DEBUG]
> new_listening_socket: 
> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 
> 2011-11-01 15:11:55,118 [server.INFO] creating system dbus: 
> bus_name=org.fedoraproject.Setroubleshootd 
> object_path=/org/fedoraproject/Setroubleshootd 
> interface=org.fedoraproject.SetroubleshootdIface 2011-11-01
> 15:11:55,119 [server.DEBUG] dbus __init__ 
> /org/fedoraproject/Setroubleshootd called 2011-11-01 15:12:05,119
> [server.DEBUG] received signal=14 2011-11-01 15:12:05,119
> [server.DEBUG] KeyboardInterrupt in RunFaultServer 2011-11-01
> 15:12:05,119 [database.DEBUG] writing database 
> (/var/lib/setroubleshoot/audit_listener_database.xml)
> modified_count=0 ------------------------
> 
> I've found this resource, 
>
http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4621954,
>
> but have no idea how to make that change or where that modification
would> go.
> 
> Please let me know what other information would be useful.
> 
> Thanks - Trey _______________________________________________ 
> CentOS mailing list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos
Do you have the


allow_httpd_mod_auth_pam

boolean turned on?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU
NfUAoLz5TplWxxflLWscqc7Vc7RHahvj
=UYqX
-----END PGP SIGNATURE-----

Seemingly Similar Threads

Search for more seemingly similar threads

CentOS - Nov 2011 - SELinux and SETroubleshootd woes in CR

[CentOS] SELinux and SETroubleshootd woes in CR

[CentOS] SELinux and SETroubleshootd woes in CR

Seemingly Similar Threads