Bug 727550 - selinux prevents rsyslog to log messages into mysql db
selinux prevents rsyslog to log messages into mysql db
Status: CLOSED DUPLICATE of bug 722536
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-02 08:49 EDT by Karel Srot
Modified: 2011-08-23 09:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-08-23 09:21:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Karel Srot 2011-08-02 08:49:20 EDT
Description of problem:

I have set up rsyslog to use ommysql.so module to store log messages in mysql database. 

Because of selinux the message was not logged into mysql db
This AVC appeared in enforcing mode:

type=SYSCALL msg=audit(1312288751.971:51): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=40f19c40 a2=6e a3=0 items=0 ppid=1 pid=11785 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1312288751.971:51): avc:  denied  { search } for  pid=11785 comm="rsyslogd" name="mysql" dev=dm-0 ino=97812543 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir

These AVCs appeared in permissive mode:

time->Tue Aug  2 08:39:11 2011
type=SYSCALL msg=audit(1312288751.971:51): arch=c000003e syscall=42 success=no exit=-13 a0=a a1=40f19c40 a2=6e a3=0 items=0 ppid=1 pid=11785 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1312288751.971:51): avc:  denied  { search } for  pid=11785 comm="rsyslogd" name="mysql" dev=dm-0 ino=97812543 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
----
time->Tue Aug  2 08:39:59 2011
type=SYSCALL msg=audit(1312288799.261:54): arch=c000003e syscall=42 success=yes exit=0 a0=a a1=41bc2c40 a2=6e a3=0 items=0 ppid=1 pid=12410 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1312288799.261:54): avc:  denied  { connectto } for  pid=12410 comm="rsyslogd" path="/var/lib/mysql/mysql.sock" scontext=root:system_r:syslogd_t:s0 tcontext=root:system_r:mysqld_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1312288799.261:54): avc:  denied  { write } for  pid=12410 comm="rsyslogd" name="mysql.sock" dev=dm-0 ino=97812737 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1312288799.261:54): avc:  denied  { search } for  pid=12410 comm="rsyslogd" name="mysql" dev=dm-0 ino=97812543 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir


module generated from these AVC fixed the problem for me

module mymod 1.0;

require {
	type syslogd_t;
	type mysqld_t;
	type mysqld_var_run_t;
	type mysqld_db_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir search;
}

#============= syslogd_t ==============
allow syslogd_t mysqld_db_t:dir search;
allow syslogd_t mysqld_t:unix_stream_socket connectto;
allow syslogd_t mysqld_var_run_t:sock_file write;



Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-316.el5


How reproducible:
always

Steps to Reproduce:
1. config rsyslog to log into mysql db 
  
Actual results:
no logs in mysql db

Expected results:
logs in mysql db

Additional info:
Comment 1 Karel Srot 2011-08-23 09:21:45 EDT

*** This bug has been marked as a duplicate of bug 722536 ***

Note You need to log in before you can comment on or make changes to this bug.