After installing and configuring both MySQL and rsyslog with the mysql extensions I get the following error in /var/log/messages:
rsyslogd:db error (2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)
I can connect through the socket using the mysql client by specifying '–socket=/var/lib/mysql/mysql.sock'.
I have narrowed the problem down to selinux permissions. The /var/log/audit/audit.log file has this to say:
type=AVC msg=audit(1244654592.150:320): avc: denied { search } for pid=6382 comm="rsyslogd" name="mysql" dev=xvda3
ino=1369538 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
Turning selinux in permissive mode does solve the problem. This is going to be production server and leaving selinux in permissive mode is not an option.
Running restorecon on /var/lib/mysql/mysql.sock also does not solve the problem. Can anyone out there give me a hand?
Edit:
So my quest continues, heres an update. I ended up creating an semodule to explicitly allow this behavior. To do this I did the following (as root):
# cd /var/log/audit/
# grep mysql audit.log | audit2allow
It outputed this:
#============= syslogd_t ==============
allow syslogd_t mysqld_db_t:dir search;
allow syslogd_t mysqld_var_run_t:sock_file write;
allow syslogd_t mysqld_t:unix_stream_socket connectto;
Those were indeed the permissions I wanted to grant to rsyslog… so I compiled it into a module according to RedHat's instructions and installed it using the semodule command.
After attempting to restart the rsyslog service the error continues and there are no new 'denied' messages in the audit log. Anybody have any ideas?
Best Answer
Woo!!
So I was very close with the semodule solution... It actually kind of worked but I'm not 100% sure why. I rebooted the server and reloaded the semodule out of frustration. selinux is enabled and I'm seeing system messages show up in the database.
Hopefully this will help someone else if they stumble across it. Good luck!