Re: Encrypted rsyslog

2014-07-23 Thread Robin Long 

Hi Eero,

Thanks for the advice.  That command does not seem to work, it changes 
the context from:


drwxr-x---. root root unconfined_u:object_r:etc_t:s0   certificates
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem

to

drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 certificates
-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostcert.pem
-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem

but then results in the error:
could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078

which usually translates as "cannot read your CA file".

Will Keep trying,

Thanks for all the help.

Robin.

On 23/07/14 03:34, Eero Volotinen wrote:




2014-07-22 22:58 GMT+03:00 Eero Volotinen >:





2014-07-22 22:01 GMT+03:00 Robin Eamonn Long mailto:r.l...@cern.ch>>:

Hi Eero,

I found this page:

http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/
which suggests that:
There is a good chance you’ve got the $InputTCPServerRun and
$InputTCPServerStreamDriverMode directives in the wrong order,
the $InputTCPServerRun should come last.

Then I got the error messages that the peer was not permitted
to talk to the server.  It looks like the order of commands is
very specific and needs to be:

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.net

$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514 # start up listener at port 10514

It seems to all be working now.

Do you know the selinux magic that I need to perform on the
certificates so that it works without disabling selinux?


You need to set correct fcontext to files (see man semanage) and
semanage fcontext -l (to list defined context) and then restorecon
-Rv /path/to/directory

--
Eero


So this magic might work:

semanage fcontext -a -t syslog_conf_t "/path/to/keys(/.*)?"

restorecon -R -v /path/to/keys

just a wild quess without any testing..

--
Eero

Re: Encrypted rsyslog

2014-07-23 Thread Eero Volotinen 
Maybe cert_t is correct context as certificates are usually located under
/etc/pki

so try something like:

semanage fcontext -a -t cert_t "/path/to/keys(/.*)?"
restorecon -R -v /path/to/keys

and you should also be familiar with selinux audit logs to figure out
correct context.




2014-07-23 11:43 GMT+03:00 Robin Long :

>  Hi Eero,
>
> Thanks for the advice.  That command does not seem to work, it changes the
> context from:
>
> drwxr-x---. root root unconfined_u:object_r:etc_t:s0   certificates
> -rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
> -rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem
>
> to
>
> drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 certificates
> -rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostcert.pem
> -rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem
>
> but then results in the error:
> could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078
>
> which usually translates as "cannot read your CA file".
>
> Will Keep trying,
>
> Thanks for all the help.
>
> Robin.
>
>
> On 23/07/14 03:34, Eero Volotinen wrote:
>
>
>
>
> 2014-07-22 22:58 GMT+03:00 Eero Volotinen :
>
>>
>>
>>
>>  2014-07-22 22:01 GMT+03:00 Robin Eamonn Long :
>>
>> Hi Eero,
>>>
>>> I found this page:
>>> http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/
>>> which suggests that:
>>> There is a good chance you’ve got the $InputTCPServerRun and
>>> $InputTCPServerStreamDriverMode directives in the wrong order, the
>>> $InputTCPServerRun should come last.
>>>
>>> Then I got the error messages that the peer was not permitted to talk to
>>> the server.  It looks like the order of commands is very specific and needs
>>> to be:
>>>
>>> $InputTCPServerStreamDriverAuthMode x509/name
>>> $InputTCPServerStreamDriverPermittedPeer *.example.net
>>> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
>>> $InputTCPServerRun 10514 # start up listener at port 10514
>>>
>>>  It seems to all be working now.
>>>
>>> Do you know the selinux magic that I need to perform on the certificates
>>> so that it works without disabling selinux?
>>>
>>
>>  You need to set correct fcontext to files (see man semanage) and semanage
>> fcontext -l (to list defined context) and then restorecon -Rv
>> /path/to/directory
>>
>>  --
>> Eero
>>
>
>  So this magic might work:
>
>  semanage fcontext -a -t syslog_conf_t "/path/to/keys(/.*)?"
> restorecon -R -v /path/to/keys
>
>  just a wild quess without any testing..
>
>  --
> Eero
>
>
>

Re: Encrypted rsyslog

2014-07-23 Thread Elias Persson 

On 2014-07-23 10:43, Robin Long wrote:

Hi Eero,

Thanks for the advice.  That command does not seem to work, it changes
the context from:

drwxr-x---. root root unconfined_u:object_r:etc_t:s0   certificates
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem

to

drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 certificates
-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostcert.pem
-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem

but then results in the error:
could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078

which usually translates as "cannot read your CA file".



What do you get from:

  tail /var/log/audit/audit.log | audit2why

(shortly after getting that error).

matplotlib problems on SL6

2014-07-23 Thread Ian A Taylor 

Sir/Madam

I am trying to run matplotlib on an SL6 machine

I installed ok with

yum install numpy python-matplotlib ipython sympy python-nose

However

When running matplotlib, I receive errors

/usr/lib64/python2.6/site-packages/matplotlib/backends/backend_gtk.py:621: 
DeprecationWarning: Use the new widget gtk.Tooltip

  self.tooltips = gtk.Tooltips()

I found

http://matplotlib.1069221.n5.nabble.com/v-0-99-1-1-DeprecationWarning-Use-the-new-widget-gtk-Tooltip-self-tooltips-gtk-Tooltips-td41393.html

run

yum-builddep python-matplotlib

with no problems

When I try to run

yum install matplotlib

I get
No package matplotlib available.

So I must be looking in the wrong places for matplotlib

A



yum list | grep numpy

numpy.x86_64  1.4.1-9.el6  @anaconda-ScientificLinux-201208021738.x86_64
numpy-f2py.x86_64  1.4.1-9.el6sl


yum list | grep matplotlib

python-matplotlib.x86_64   0.99.1.2-1.el6   @sl
python-matplotlib-tk.x86_640.99.1.2-1.el6   sl


So it would appear I am short of Numpy version 1.5,

Any help to resolve this would be much appreciated


Thanking you.

Yours sincerely



Ian Taylor
University of St.Andrews,
School of Physics & Astronomy,
North Haugh,
St.Andrews,
Fife  KY16 9SS,
Scotland.

e-Mail :- i...@st-and.ac.uk
Tel:- (0)1334-463141
Fax:- (0)1334-463104

The University of St Andrews
is a charity registered in
Scotland : No SC013532.

Re: Encrypted rsyslog

2014-07-23 Thread Robin Long 

Hi Eero and Elias,

So seeting it to cert_t worked, as did:
semanage fcontext -a -t etc_t "/etc/grid-security(/.*)?"
I chose etc_t as when I did an ls -Z the certificates folder had this to 
begin with and was happy, where as the hostkeys and certs had admin_home.


The output of audit2why is here, I do not understand it at all.

# tail /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1406108140.477:6317): avc:  denied  { search } for  
pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0 
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0 
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir


Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow 
this access.


type=AVC msg=audit(1406108140.479:6318): avc:  denied  { search } for  
pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0 
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0 
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir


Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow 
this access.



I would like to understand SELinux and how to audit the problems, but I 
have not found a good entry level guide.  Usually the problems I have 
are simple such as ssh-key permissions or httpd problems - google has 
always had a solution, I just do not know how to get to these solutions 
myself.


Regards,
Robin.


On 23/07/14 10:18, Elias Persson wrote:

On 2014-07-23 10:43, Robin Long wrote:

Hi Eero,

Thanks for the advice.  That command does not seem to work, it changes
the context from:

drwxr-x---. root root unconfined_u:object_r:etc_t:s0 certificates
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem

to

drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 
certificates
-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 
hostcert.pem

-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem

but then results in the error:
could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error 
-2078


which usually translates as "cannot read your CA file".



What do you get from:

  tail /var/log/audit/audit.log | audit2why

(shortly after getting that error).

Re: Encrypted rsyslog

2014-07-23 Thread Eero Volotinen 
2014-07-23 12:37 GMT+03:00 Robin Long :

> Hi Eero and Elias,
>
> So seeting it to cert_t worked, as did:
> semanage fcontext -a -t etc_t "/etc/grid-security(/.*)?"
> I chose etc_t as when I did an ls -Z the certificates folder had this to
> begin with and was happy, where as the hostkeys and certs had admin_home.
>
> The output of audit2why is here, I do not understand it at all.
>
> # tail /var/log/audit/audit.log | audit2why
> type=AVC msg=audit(1406108140.477:6317): avc:  denied  { search } for
>  pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0
> ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
> tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1406108140.479:6318): avc:  denied  { search } for
>  pid=9753 comm=72733A6D61696E20513A526567 name="grid-security" dev=dm-0
> ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
> tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
>
> I would like to understand SELinux and how to audit the problems, but I
> have not found a good entry level guide.  Usually the problems I have are
> simple such as ssh-key permissions or httpd problems - google has always
> had a solution, I just do not know how to get to these solutions myself.
>

Read manual at :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/

--
Eero

rpm problem

2014-07-23 Thread ToddAndMargo 

Hi All,

I am having trouble installing the PDF Studio RPM.

https://www.dropbox.com/s/slgrnolcsktaezz/PDFStudio_v9_0_2_linux.rpm

# cat /etc/redhat-release
Scientific Linux release 6.5 (Carbon)

# uname -r
2.6.32-431.20.3.el6.x86_64

# rpm -ivh PDFStudio_v9_0_2_linux.rpm
Preparing... ### [100%]
1:PDFStudio ### [100%]
error: unpacking of archive failed on file .pdfstudio9/:
cpio: Archive file not in header

Any way to fix this?

Many thanks,
-T

Re: rpm problem

2014-07-23 Thread Mark Stodola 

On 07/23/2014 10:43 AM, ToddAndMargo wrote:

Hi All,

I am having trouble installing the PDF Studio RPM.

https://www.dropbox.com/s/slgrnolcsktaezz/PDFStudio_v9_0_2_linux.rpm

# cat /etc/redhat-release
Scientific Linux release 6.5 (Carbon)

# uname -r
2.6.32-431.20.3.el6.x86_64

# rpm -ivh PDFStudio_v9_0_2_linux.rpm
Preparing... ### [100%]
 1:PDFStudio ### [100%]
error: unpacking of archive failed on file .pdfstudio9/:
cpio: Archive file not in header

Any way to fix this?

Many thanks,
-T


I would first check the integrity of the file.
I downloaded it here (not installed it, as I don't have SL6.5).
It unpacked fine though using "rpm2cpio filename.rpm | cpio -idmv"
I have the following checksum on it:

MD5: f39d0ef9c4fd74cbfcbffa37f0ee18f2  PDFStudio_v9_0_2_linux.rpm
SHA1: 2e69d1b564cfebcac5cba9244bd04f64cedc959f  PDFStudio_v9_0_2_linux.rpm

It has an odd directory structure, it seems to put everything in 
/pdfstudio9.


-Mark

Re: matplotlib problems on SL6

2014-07-23 Thread Orion Poplawski 

On 07/23/2014 03:19 AM, Ian A Taylor wrote:

Sir/Madam

I am trying to run matplotlib on an SL6 machine

I installed ok with

yum install numpy python-matplotlib ipython sympy python-nose

However

When running matplotlib, I receive errors

/usr/lib64/python2.6/site-packages/matplotlib/backends/backend_gtk.py:621:
DeprecationWarning: Use the new widget gtk.Tooltip
   self.tooltips = gtk.Tooltips()

I found

http://matplotlib.1069221.n5.nabble.com/v-0-99-1-1-DeprecationWarning-Use-the-new-widget-gtk-Tooltip-self-tooltips-gtk-Tooltips-td41393.html


run

yum-builddep python-matplotlib

with no problems


Not sure what you are trying to do here.


When I try to run

yum install matplotlib

I get
No package matplotlib available.

So I must be looking in the wrong places for matplotlib


No, it's called "python-matplotlib" and you have it.  Although there may be 
alternative locations to get newer versions.



So it would appear I am short of Numpy version 1.5,

Any help to resolve this would be much appreciated


This is an upstream issue.  I would suggest filing a bug:

https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206

either against python-matplotlib or numpy.

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com