Maybe cert_t is correct context as certificates are usually located under /etc/pki
so try something like: semanage fcontext -a -t cert_t "/path/to/keys(/.*)?" restorecon -R -v /path/to/keys and you should also be familiar with selinux audit logs to figure out correct context. 2014-07-23 11:43 GMT+03:00 Robin Long <[email protected]>: > Hi Eero, > > Thanks for the advice. That command does not seem to work, it changes the > context from: > > drwxr-x---. root root unconfined_u:object_r:etc_t:s0 certificates > -rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem > -rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem > > to > > drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 certificates > -rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0 hostcert.pem > -rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem > > but then results in the error: > could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078 > > which usually translates as "cannot read your CA file". > > Will Keep trying, > > Thanks for all the help. > > Robin. > > > On 23/07/14 03:34, Eero Volotinen wrote: > > > > > 2014-07-22 22:58 GMT+03:00 Eero Volotinen <[email protected]>: > >> >> >> >> 2014-07-22 22:01 GMT+03:00 Robin Eamonn Long <[email protected]>: >> >> Hi Eero, >>> >>> I found this page: >>> http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/ >>> which suggests that: >>> There is a good chance you’ve got the $InputTCPServerRun and >>> $InputTCPServerStreamDriverMode directives in the wrong order, the >>> $InputTCPServerRun should come last. >>> >>> Then I got the error messages that the peer was not permitted to talk to >>> the server. It looks like the order of commands is very specific and needs >>> to be: >>> >>> $InputTCPServerStreamDriverAuthMode x509/name >>> $InputTCPServerStreamDriverPermittedPeer *.example.net >>> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode >>> $InputTCPServerRun 10514 # start up listener at port 10514 >>> >>> It seems to all be working now. >>> >>> Do you know the selinux magic that I need to perform on the certificates >>> so that it works without disabling selinux? >>> >> >> You need to set correct fcontext to files (see man semanage) and semanage >> fcontext -l (to list defined context) and then restorecon -Rv >> /path/to/directory >> >> -- >> Eero >> > > So this magic might work: > > semanage fcontext -a -t syslog_conf_t "/path/to/keys(/.*)?" > restorecon -R -v /path/to/keys > > just a wild quess without any testing.. > > -- > Eero > > >
