2014-07-22 22:58 GMT+03:00 Eero Volotinen <[email protected]>: > > > > 2014-07-22 22:01 GMT+03:00 Robin Eamonn Long <[email protected]>: > > Hi Eero, >> >> I found this page: >> http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/ >> which suggests that: >> There is a good chance you’ve got the $InputTCPServerRun and >> $InputTCPServerStreamDriverMode directives in the wrong order, the >> $InputTCPServerRun should come last. >> >> Then I got the error messages that the peer was not permitted to talk to >> the server. It looks like the order of commands is very specific and needs >> to be: >> >> $InputTCPServerStreamDriverAuthMode x509/name >> $InputTCPServerStreamDriverPermittedPeer *.example.net >> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode >> $InputTCPServerRun 10514 # start up listener at port 10514 >> >> It seems to all be working now. >> >> Do you know the selinux magic that I need to perform on the certificates >> so that it works without disabling selinux? >> > > You need to set correct fcontext to files (see man semanage) and semanage > fcontext -l (to list defined context) and then restorecon -Rv > /path/to/directory > > -- > Eero >
So this magic might work: semanage fcontext -a -t syslog_conf_t "/path/to/keys(/.*)?" restorecon -R -v /path/to/keys just a wild quess without any testing.. -- Eero
