Description of problem: rsyslog-mysql provides for the ability for rsyslog to put log information into a mysql database. The current selinux-policy (2.4.6-300.el5_6.1) does not appear to provide the correct access Version-Release number of selected component (if applicable): 2.4.6-300.el5_6.1 How reproducible: 100% Steps to Reproduce: 1. install rsyslog/rsyslog-mysql/mysql 2. set everything up 3. run rsyslog/mysql Actual results: When rsyslog attempts to connect to the database, you get an AVC denial. Expected results: rsyslog should be able to read the database Additional info: type=AVC msg=audit(1310742955.892:196139): avc: denied { search } for pid=32754 comm="rsyslogd" name="mysql" dev=md1 ino=331710489 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir #============= syslogd_t ============== allow syslogd_t mysqld_db_t:dir search;
We have also this in RHEL6 optional_policy(` mysql_stream_connect(syslogd_t) ')
Looks good to me.
Here's what I ended up with: require { type syslogd_t; type mysqld_t; type mysqld_var_run_t; type mysqld_db_t; class sock_file write; class unix_stream_socket connectto; class dir search; } #============= syslogd_t ============== allow syslogd_t mysqld_db_t:dir search; allow syslogd_t mysqld_t:unix_stream_socket connectto; allow syslogd_t mysqld_var_run_t:sock_file write; This appears to grant sufficient access for rsyslog to write into the database.
Yes it will covered by optional_policy(` mysql_stream_connect(syslogd_t) ')
OK -- guess I don't understand enough about how SELinux works. Suppose that's all good, then! Any ETA?
Well, this is for RHEL5.8 which I guess is in planning. If I get all acks I will do a build.
*** Bug 727550 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-2.4.6-317.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html