Bug 436660 - SELinux prevents rsyslog-mysql from working.
SELinux prevents rsyslog-mysql from working.
Product: Fedora
Classification: Fedora
Component: rsyslog (Show other bugs)
i386 Linux
low Severity low
: ---
: ---
Assigned To: Peter Vrabec
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-03-08 15:55 EST by David Yaffe
Modified: 2008-03-13 07:24 EDT (History)
2 users (show)

See Also:
Fixed In Version: 3.0.8-93.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-13 07:24:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Yaffe 2008-03-08 15:55:31 EST
Description of problem: rsyslog-mysql can not access mysql databases with
selinux set to enforcing.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install rsyslog-mysql
2. follow included instructions to configure
3. reload rsyslogd.
Actual results:
3 avc denials:
type=AVC msg=audit(1205009327.282:1560): avc:  denied  { name_connect } for 
pid=20518 comm="rsyslogd" dest=3306 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1205009327.283:1561): avc:  denied  { getattr } for 
pid=20518 comm="rsyslogd" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0
ino=11534337 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file

type=AVC msg=audit(1205009327.283:1562): avc:  denied  { read } for  pid=20518
comm="rsyslogd" name="Index.xml" dev=dm-0 ino=11534337
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0

Expected results:
rsyslog would use mysql as a datastore.

Additional info:
problem can be resolved using the following method:
1) set selinux to permissive mod (/usr/sbin/setenforce 0)
2) reload rsyslogds configuration (service rsyslog reload)
3) use audit2allow to generate the right rules (cat /var/log/audit/audit.log |
grep rsyslogd | audit2allow -M MYmod2; /usr/sbin/semodule -i MYmod2.pp)
4) set selinux back to enforcing (/usr/sbin/setenforce 1)
Comment 2 Daniel Walsh 2008-03-11 19:42:42 EDT
Fixed in selinux-policy-3.0.8-93.fc8
Comment 3 Peter Vrabec 2008-03-13 07:24:29 EDT
I'm closing this issue, feel free to reopen if problem persist.

Note You need to log in before you can comment on or make changes to this bug.