So I have tried to run chcon command on the /opt/splunk/lib as the docs indicate.
chcon -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null and chcon -v -R -u system_u -r object_r -t lib_t /opt/splunk/lib 2>&1 > /dev/null
export SPLUNK_IGNORE_SELINUX=1 to setSplunkEnv
script but not sure I did it correctly? Does it need to be at the end, before the esac or ??
Can I verify the chcon ran successfully?
On RHEL 6 there is no need to change anything in relation to SELinux for Splunk to work correctly. However, it's a good idea to confine Splunk with SELinux to take advantage of the protection it provides: https://github.com/doksu/selinux_policy_for_splunk
Yes, it applies to any RHEL 6 binary-compatible distributions (CentOS, Oracle Linux, etc). If you're concerned, you can have your cake and eat it too by confining Splunk with the policy but running it in permissive (so it only logs policy violations, rather than preventing them). Be sure to ingest your AVCs into Splunk (by putting an inputs.conf monitor stanza on /var/log/audit/audit.log), then use the 'Type Enforcement' dashboard of the Linux Auditd app (https://splunkbase.splunk.com/app/2642/) to analyse denials.
N.B. I've been working on a RHEL 7 version of the policy recently; let me know if you'd like any further information - it should be released on github some time soon.
The easiest way to verify any SELinux labelling worked properly is with the "-Z" option to ls. But, starting with RHEL5, there are superior tools to chcon for more permanently configuring your SELinux policy to put certain files into a specific context. Look into the "semanage" and "restorecon" tools.