Re: Encrypted rsyslog

Wed, 23 Jul 2014 01:44:30 -0700 

Hi Eero,
Thanks for the advice. That command does not seem to work, it changes the context from: 

drwxr-x---. root root unconfined_u:object_r:etc_t:s0   certificates
-rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
-rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem

to

drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 certificates
-rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0 hostcert.pem
-rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem

but then results in the error:
could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078

which usually translates as "cannot read your CA file".

Will Keep trying,

Thanks for all the help.

Robin.

On 23/07/14 03:34, Eero Volotinen wrote:





2014-07-22 22:58 GMT+03:00 Eero Volotinen <[email protected] 
<mailto:[email protected]>>:





    2014-07-22 22:01 GMT+03:00 Robin Eamonn Long <[email protected]
    <mailto:[email protected]>>:

        Hi Eero,

        I found this page:
        
http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/
        which suggests that:
        There is a good chance you’ve got the $InputTCPServerRun and
        $InputTCPServerStreamDriverMode directives in the wrong order,
        the $InputTCPServerRun should come last.

        Then I got the error messages that the peer was not permitted
        to talk to the server.  It looks like the order of commands is
        very specific and needs to be:

        $InputTCPServerStreamDriverAuthMode x509/name
        $InputTCPServerStreamDriverPermittedPeer *.example.net
        <http://example.net>
        $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
        $InputTCPServerRun 10514 # start up listener at port 10514

        It seems to all be working now.

        Do you know the selinux magic that I need to perform on the
        certificates so that it works without disabling selinux?


    You need to set correct fcontext to files (see man semanage) and
    semanage fcontext -l (to list defined context) and then restorecon
    -Rv /path/to/directory

    --
    Eero


So this magic might work:

semanage fcontext -a -t syslog_conf_t "/path/to/keys(/.*)?"

restorecon -R -v /path/to/keys

just a wild quess without any testing..

--
Eero

























					Reply via email to