Details
-
Task
-
Resolution: Unresolved
-
Major - P3
-
4.2.0, 4.4, 5.0.0
-
None
Description
Per SERVER-63179, the following instructions need to be updated so as to not cause excessive logging in the selinux audit log:
The code in "Create a custom policy file mongodb_proc_net.te:" section should become:
cat > mongodb_proc_net.te <<EOF
|
module mongodb_proc_net 1.0;
|
|
|
require {
|
type cgroup_t;
|
type configfs_t;
|
type file_type;
|
type mongod_t;
|
type proc_net_t;
|
type sysctl_fs_t;
|
type var_lib_nfs_t;
|
|
|
class dir { search getattr };
|
class file { getattr open read };
|
}
|
|
|
#============= mongod_t ==============
|
allow mongod_t cgroup_t:dir { search getattr } ;
|
allow mongod_t cgroup_t:file { getattr open read };
|
allow mongod_t configfs_t:dir getattr;
|
allow mongod_t file_type:dir { getattr search };
|
allow mongod_t file_type:file getattr;
|
allow mongod_t proc_net_t:file { open read };
|
allow mongod_t sysctl_fs_t:dir search;
|
allow mongod_t var_lib_nfs_t:dir search;
|
EOF
|
Attachments
Issue Links
- documents
-
SERVER-63179 Server requires new SELinux privileges
-
- Closed
-
- is related to
-
SERVER-63179 Server requires new SELinux privileges
-
- Closed
-
- related to
-
SERVER-66475 SELinux denials on sysctl_net_t
-
- Closed
-