Re: Encrypted rsyslog
Maybe cert_t is correct context as certificates are usually located under /etc/pki so try something like: semanage fcontext -a -t cert_t /path/to/keys(/.*)? restorecon -R -v /path/to/keys and you should also be familiar with selinux audit logs to figure out correct context. 2014-07-23 11:43 GMT+03:00 Robin Long r.l...@cern.ch: Hi Eero, Thanks for the advice. That command does not seem to work, it changes the context from: drwxr-x---. root root unconfined_u:object_r:etc_t:s0 certificates -rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem -rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem to drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 certificates -rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostcert.pem -rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem but then results in the error: could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078 which usually translates as cannot read your CA file. Will Keep trying, Thanks for all the help. Robin. On 23/07/14 03:34, Eero Volotinen wrote: 2014-07-22 22:58 GMT+03:00 Eero Volotinen eero.voloti...@iki.fi: 2014-07-22 22:01 GMT+03:00 Robin Eamonn Long r.l...@cern.ch: Hi Eero, I found this page: http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/ which suggests that: There is a good chance you’ve got the $InputTCPServerRun and $InputTCPServerStreamDriverMode directives in the wrong order, the $InputTCPServerRun should come last. Then I got the error messages that the peer was not permitted to talk to the server. It looks like the order of commands is very specific and needs to be: $InputTCPServerStreamDriverAuthMode x509/name $InputTCPServerStreamDriverPermittedPeer *.example.net $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerRun 10514 # start up listener at port 10514 It seems to all be working now. Do you know the selinux magic that I need to perform on the certificates so that it works without disabling selinux? You need to set correct fcontext to files (see man semanage) and semanage fcontext -l (to list defined context) and then restorecon -Rv /path/to/directory -- Eero So this magic might work: semanage fcontext -a -t syslog_conf_t /path/to/keys(/.*)? restorecon -R -v /path/to/keys just a wild quess without any testing.. -- Eero
matplotlib problems on SL6
Sir/Madam I am trying to run matplotlib on an SL6 machine I installed ok with yum install numpy python-matplotlib ipython sympy python-nose However When running matplotlib, I receive errors /usr/lib64/python2.6/site-packages/matplotlib/backends/backend_gtk.py:621: DeprecationWarning: Use the new widget gtk.Tooltip self.tooltips = gtk.Tooltips() I found http://matplotlib.1069221.n5.nabble.com/v-0-99-1-1-DeprecationWarning-Use-the-new-widget-gtk-Tooltip-self-tooltips-gtk-Tooltips-td41393.html run yum-builddep python-matplotlib with no problems When I try to run yum install matplotlib I get No package matplotlib available. So I must be looking in the wrong places for matplotlib A yum list | grep numpy numpy.x86_64 1.4.1-9.el6 @anaconda-ScientificLinux-201208021738.x86_64 numpy-f2py.x86_64 1.4.1-9.el6sl yum list | grep matplotlib python-matplotlib.x86_64 0.99.1.2-1.el6 @sl python-matplotlib-tk.x86_640.99.1.2-1.el6 sl So it would appear I am short of Numpy version 1.5, Any help to resolve this would be much appreciated Thanking you. Yours sincerely Ian Taylor University of St.Andrews, School of Physics Astronomy, North Haugh, St.Andrews, Fife KY16 9SS, Scotland. e-Mail :- i...@st-and.ac.uk Tel:- (0)1334-463141 Fax:- (0)1334-463104 The University of St Andrews is a charity registered in Scotland : No SC013532.
Re: Encrypted rsyslog
Hi Eero and Elias,
So seeting it to cert_t worked, as did:
semanage fcontext -a -t etc_t /etc/grid-security(/.*)?
I chose etc_t as when I did an ls -Z the certificates folder had this to
begin with and was happy, where as the hostkeys and certs had admin_home.
The output of audit2why is here, I do not understand it at all.
# tail /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1406108140.477:6317): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name=grid-security dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1406108140.479:6318): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name=grid-security dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
I would like to understand SELinux and how to audit the problems, but I
have not found a good entry level guide. Usually the problems I have
are simple such as ssh-key permissions or httpd problems - google has
always had a solution, I just do not know how to get to these solutions
myself.
Regards,
Robin.
On 23/07/14 10:18, Elias Persson wrote:
On 2014-07-23 10:43, Robin Long wrote:
Hi Eero,
Thanks for the advice. That command does not seem to work, it changes
the context from:
drwxr-x---. root root unconfined_u:object_r:etc_t:s0 certificates
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
-rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem
to
drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0
certificates
-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0
hostcert.pem
-rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem
but then results in the error:
could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error
-2078
which usually translates as cannot read your CA file.
What do you get from:
tail /var/log/audit/audit.log | audit2why
(shortly after getting that error).
Re: Encrypted rsyslog
2014-07-23 12:37 GMT+03:00 Robin Long r.l...@cern.ch:
Hi Eero and Elias,
So seeting it to cert_t worked, as did:
semanage fcontext -a -t etc_t /etc/grid-security(/.*)?
I chose etc_t as when I did an ls -Z the certificates folder had this to
begin with and was happy, where as the hostkeys and certs had admin_home.
The output of audit2why is here, I do not understand it at all.
# tail /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1406108140.477:6317): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name=grid-security dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
type=AVC msg=audit(1406108140.479:6318): avc: denied { search } for
pid=9753 comm=72733A6D61696E20513A526567 name=grid-security dev=dm-0
ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this access.
I would like to understand SELinux and how to audit the problems, but I
have not found a good entry level guide. Usually the problems I have are
simple such as ssh-key permissions or httpd problems - google has always
had a solution, I just do not know how to get to these solutions myself.
Read manual at :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/
--
Eero
rpm problem
Hi All, I am having trouble installing the PDF Studio RPM. https://www.dropbox.com/s/slgrnolcsktaezz/PDFStudio_v9_0_2_linux.rpm # cat /etc/redhat-release Scientific Linux release 6.5 (Carbon) # uname -r 2.6.32-431.20.3.el6.x86_64 # rpm -ivh PDFStudio_v9_0_2_linux.rpm Preparing... ### [100%] 1:PDFStudio ### [100%] error: unpacking of archive failed on file .pdfstudio9/: cpio: Archive file not in header Any way to fix this? Many thanks, -T
Re: rpm problem
On 07/23/2014 10:43 AM, ToddAndMargo wrote: Hi All, I am having trouble installing the PDF Studio RPM. https://www.dropbox.com/s/slgrnolcsktaezz/PDFStudio_v9_0_2_linux.rpm # cat /etc/redhat-release Scientific Linux release 6.5 (Carbon) # uname -r 2.6.32-431.20.3.el6.x86_64 # rpm -ivh PDFStudio_v9_0_2_linux.rpm Preparing... ### [100%] 1:PDFStudio ### [100%] error: unpacking of archive failed on file .pdfstudio9/: cpio: Archive file not in header Any way to fix this? Many thanks, -T I would first check the integrity of the file. I downloaded it here (not installed it, as I don't have SL6.5). It unpacked fine though using rpm2cpio filename.rpm | cpio -idmv I have the following checksum on it: MD5: f39d0ef9c4fd74cbfcbffa37f0ee18f2 PDFStudio_v9_0_2_linux.rpm SHA1: 2e69d1b564cfebcac5cba9244bd04f64cedc959f PDFStudio_v9_0_2_linux.rpm It has an odd directory structure, it seems to put everything in /pdfstudio9. -Mark
Re: matplotlib problems on SL6
On 07/23/2014 03:19 AM, Ian A Taylor wrote: Sir/Madam I am trying to run matplotlib on an SL6 machine I installed ok with yum install numpy python-matplotlib ipython sympy python-nose However When running matplotlib, I receive errors /usr/lib64/python2.6/site-packages/matplotlib/backends/backend_gtk.py:621: DeprecationWarning: Use the new widget gtk.Tooltip self.tooltips = gtk.Tooltips() I found http://matplotlib.1069221.n5.nabble.com/v-0-99-1-1-DeprecationWarning-Use-the-new-widget-gtk-Tooltip-self-tooltips-gtk-Tooltips-td41393.html run yum-builddep python-matplotlib with no problems Not sure what you are trying to do here. When I try to run yum install matplotlib I get No package matplotlib available. So I must be looking in the wrong places for matplotlib No, it's called python-matplotlib and you have it. Although there may be alternative locations to get newer versions. So it would appear I am short of Numpy version 1.5, Any help to resolve this would be much appreciated This is an upstream issue. I would suggest filing a bug: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206 either against python-matplotlib or numpy. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com
