[rsyslog-notify] Forum Thread: Re: Error: could not load module lmnsd_gtls.so, only init sc - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Fri Mar 28 16:45:57 CET 2014 

User: mvoge 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24446#p24446

Message: 
----------
Hi dlang,

that's an interesting point. Yes, I also checked the permissions of all
directories in the full path, and they were in both cases all readable and
executable (drwxr-xr-x. for every dir in both paths), so this was not the
reason.

Maybe SELinux is the reason behind it? I tried this:

[code:32ucfdib]
[root at test-logbroker ~]# ls -Z /var/lib/puppet/ssl/
drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0
certs
drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0
private_keys
[root at test-logbroker ~]# ls -Z /var/lib/puppet/ssl/certs/
-rw-r--r--. root root unconfined_u:object_r:var_lib_t:s0
ca.pem
-rw-r-----. root root unconfined_u:object_r:var_lib_t:s0
test-logbroker.testbed.lan.pem
[root at test-logbroker ~]# ls -Z /var/lib/puppet/ssl/private_keys/
-rw-r-----. root root unconfined_u:object_r:var_lib_t:s0
test-logbroker.testbed.lan.pem

[root at test-logbroker ~]# ls -Z /etc/pki/puppet/
drwxr-xr-x. root root unconfined_u:object_r:cert_t:s0 
certs
drwxr-xr-x. root root unconfined_u:object_r:cert_t:s0 
private_keys
[root at test-logbroker ~]# ls -Z /etc/pki/puppet/certs/
-r--------. root root unconfined_u:object_r:cert_t:s0 
ca.pem
-r--------. root root unconfined_u:object_r:cert_t:s0 
test-logbroker.testbed.lan.pem
[root at test-logbroker ~]# ls -Z /etc/pki/puppet/private_keys/
-r--------. root root unconfined_u:object_r:cert_t:s0 
test-logbroker.testbed.lan.pem
[/code:32ucfdib]

So, they both look pretty similar. Both directories are unconfined_u, and
both have a parent dir that is system_u:

[code:32ucfdib]
[root at test-logbroker ~]# ls -Zd /var/lib/
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0  
/var/lib/
[root at test-logbroker ~]# ls -Zd /etc/pki/
drwxr-xr-x. root root system_u:object_r:cert_t:s0     
/etc/pki/
[/code:32ucfdib]

The only difference is that one dir has var_lib_t, the other has cert_t.
Maybe SELinux will allow certificate reading only from the dir that has the
cert_t attribute?

I don't know... I have no knowledge about SELinux.

More information about the rsyslog-notify mailing list