Hi Eero and Elias,
So seeting it to cert_t worked, as did:
semanage fcontext -a -t etc_t "/etc/grid-security(/.*)?"
I chose etc_t as when I did an ls -Z the certificates folder had this to
begin with and was happy, where as the hostkeys and certs had admin_home.
The output of audit2why is here, I do not understand it at all.
# tail /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1406108140.477:6317): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1406108140.479:6318): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
I would like to understand SELinux and how to audit the problems, but I
have not found a good entry level guide. Usually the problems I have
are simple such as ssh-key permissions or httpd problems - google has
always had a solution, I just do not know how to get to these solutions
myself.
Regards,
Robin.
On 23/07/14 10:18, Elias Persson wrote:
On 2014-07-23 10:43, Robin Long wrote:
Hi Eero,
Thanks for the advice. That command does not seem to work, it changes
the context from:
drwxr-x---. root root unconfined_u:object_r:etc_t:s0 certificates
-rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
-rw-r-----. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem
to
drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0
certificates
-rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0
hostcert.pem
-rw-r-----. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem
but then results in the error:
could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error
-2078
which usually translates as "cannot read your CA file".
What do you get from:
tail /var/log/audit/audit.log | audit2why
(shortly after getting that error).