Subject: | |
From: | |
Reply To: | |
Date: | Wed, 23 Jul 2014 10:37:51 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Eero and Elias,
So seeting it to cert_t worked, as did:
semanage fcontext -a -t etc_t "/etc/grid-security(/.*)?"
I chose etc_t as when I did an ls -Z the certificates folder had this to
begin with and was happy, where as the hostkeys and certs had admin_home.
The output of audit2why is here, I do not understand it at all.
# tail /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1406108140.477:6317): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1406108140.479:6318): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
I would like to understand SELinux and how to audit the problems, but I
have not found a good entry level guide. Usually the problems I have
are simple such as ssh-key permissions or httpd problems - google has
always had a solution, I just do not know how to get to these solutions
myself.
Regards,
Robin.
On 23/07/14 10:18, Elias Persson wrote:
> On 2014-07-23 10:43, Robin Long wrote:
>> Hi Eero,
>>
>> Thanks for the advice. That command does not seem to work, it changes
>> the context from:
>>
>> drwxr-x---. root root unconfined_u:object_r:etc_t:s0 certificates
>> -rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
>> -rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem
>>
>> to
>>
>> drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0
>> certificates
>> -rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0
>> hostcert.pem
>> -rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem
>>
>> but then results in the error:
>> could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error
>> -2078
>>
>> which usually translates as "cannot read your CA file".
>>
>
> What do you get from:
>
> tail /var/log/audit/audit.log | audit2why
>
> (shortly after getting that error).
|
|
|