Bug 436660

Summary: SELinux prevents rsyslog-mysql from working.
Product: [Fedora] Fedora Reporter: David Yaffe <dyaffe>
Component: rsyslogAssignee: Peter Vrabec <pvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: dwalsh, theinric
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 3.0.8-93.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-13 11:24:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Yaffe 2008-03-08 20:55:31 UTC
Description of problem: rsyslog-mysql can not access mysql databases with
selinux set to enforcing.


Version-Release number of selected component (if applicable):
rsyslog-mysql-2.0.2-1.fc8

How reproducible:
always


Steps to Reproduce:
1. install rsyslog-mysql
2. follow included instructions to configure
3. reload rsyslogd.
  
Actual results:
3 avc denials:
type=AVC msg=audit(1205009327.282:1560): avc:  denied  { name_connect } for 
pid=20518 comm="rsyslogd" dest=3306 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1205009327.283:1561): avc:  denied  { getattr } for 
pid=20518 comm="rsyslogd" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0
ino=11534337 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file

type=AVC msg=audit(1205009327.283:1562): avc:  denied  { read } for  pid=20518
comm="rsyslogd" name="Index.xml" dev=dm-0 ino=11534337
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file


Expected results:
rsyslog would use mysql as a datastore.

Additional info:
problem can be resolved using the following method:
1) set selinux to permissive mod (/usr/sbin/setenforce 0)
2) reload rsyslogds configuration (service rsyslog reload)
3) use audit2allow to generate the right rules (cat /var/log/audit/audit.log |
grep rsyslogd | audit2allow -M MYmod2; /usr/sbin/semodule -i MYmod2.pp)
4) set selinux back to enforcing (/usr/sbin/setenforce 1)

Comment 2 Daniel Walsh 2008-03-11 23:42:42 UTC
Fixed in selinux-policy-3.0.8-93.fc8

Comment 3 Peter Vrabec 2008-03-13 11:24:29 UTC
I'm closing this issue, feel free to reopen if problem persist.