Description of problem: On our Fedora 19 server, I have set up SVN repositories served through Apache, with mod_authnz_external + pwauth to handle authentication. When checking out a repository, the logs get flooded with "setroubleshoot: SELinux is preventing /usr/bin/pwauth from write access on the file /var/log/lastlog..." messages, which eventually get replaced by "audispd: queue is full - dropping event". The message itself does not appear to be critical, but is annoying, especially since it means that on our server VM, setroubleshoot keeps hogging CPU during repository checkouts. This can be reproduced by setting up apache with mod_authnz_external + pwauth on any content it serves: 1. install pwauth, httpd, mod_authnz_external 2. set up some content to be served, and set up authentication. For example, create index.html in /var/www/html, and modify /etc/httpd/conf/httpd.conf: <Directory "/var/www/html"> Options Indexes FollowSymLinks AuthType Basic AuthName "PWauth test" AuthBasicProvider external AuthExternal pwauth Require valid-user </Directory> 3. access the served content, log in with local username/password => a denial message pops up NOTE: it seems pwauth requires both 'write' and 'open' access (i.e., if 'write' access is fixed with local policy, the messages about 'open' access start popping up) SELinux is preventing /usr/bin/pwauth from 'write' accesses on the file lastlog. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that pwauth should be allowed write access on the lastlog file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pwauth /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pwauth_t:s0 Target Context system_u:object_r:lastlog_t:s0 Target Objects lastlog [ file ] Source pwauth Source Path /usr/bin/pwauth Port <Unknown> Host (removed) Source RPM Packages pwauth-2.3.10-5.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.11.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.7-200.fc19.x86_64 #1 SMP Mon Nov 4 14:09:03 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-11-09 18:06:54 CET Last Seen 2013-11-09 18:06:54 CET Local ID 5f12bbc8-fd14-424a-9eb5-1fa81b4bfa64 Raw Audit Messages type=AVC msg=audit(1384016814.645:562): avc: denied { write } for pid=4152 comm="pwauth" name="lastlog" dev="dm-1" ino=262220 scontext=system_u:system_r:pwauth_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file type=SYSCALL msg=audit(1384016814.645:562): arch=x86_64 syscall=open success=no exit=EACCES a0=7f43066014c3 a1=1 a2=0 a3=7f4304040dd0 items=0 ppid=4146 pid=4152 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=pwauth exe=/usr/bin/pwauth subj=system_u:system_r:pwauth_t:s0 key=(null) Hash: pwauth,pwauth_t,lastlog_t,file,write Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.7-200.fc19.x86_64 type: libreport
commit cfbed5a126d9a7a86783dd6f756709b18376b407 Author: Miroslav Grepl <mgrepl> Date: Mon Nov 11 13:45:16 2013 +0100 pwauth uses lastlog() to update system's lastlog
selinux-policy-3.12.1-74.14.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.14.fc19
Package selinux-policy-3.12.1-74.14.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.14.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22197/selinux-policy-3.12.1-74.14.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.14.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.