Loading...

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: mongodb-2.6, mongodb-3.0
Affects Version/s: None
Component/s: manual
Labels:
None
Environment:
RHEL 7.0 with non-default MongoDB dbpath

By default, the SELinux policies on RHEL 7.0 do not seem to allow mongod to write to a non-default path.

If you try to change the dbpath for MongoDB - e.g. to /data/db, you will get an error from mongod like:

2014-10-10T00:00:18.883-0400 [initandlisten] MongoDB starting : pid=8257 port=27017 dbpath=/data/db 64-bit host=ip-172-31-4-153.ap-southeast-2.compute.internal
2014-10-10T00:00:18.883-0400 [initandlisten] db version v2.6.5
2014-10-10T00:00:18.883-0400 [initandlisten] git version: e99d4fcb4279c0279796f237aa92fe3b64560bf6
2014-10-10T00:00:18.883-0400 [initandlisten] build info: Linux build8.nj1.10gen.cc 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Jan 3 21:39:27 UTC 2014 x86_64 BOOST_LIB_VERSION=1_49
2014-10-10T00:00:18.883-0400 [initandlisten] allocator: tcmalloc
2014-10-10T00:00:18.883-0400 [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1" }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, storage: { dbPath: "/data/db" }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
2014-10-10T00:00:18.883-0400 [initandlisten] exception in initAndListen std::exception: boost::filesystem::status: Permission denied: "/data/db/mongod.lock", terminating
2014-10-10T00:00:18.883-0400 [initandlisten] dbexit:
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to close listening sockets...
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to flush diaglog...
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to close sockets...
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: waiting for fs preallocator...
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: lock for final commit...
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: final commit...
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: closing all files...
2014-10-10T00:00:18.883-0400 [initandlisten] closeAllFiles() finished
2014-10-10T00:00:18.883-0400 [initandlisten] dbexit: really exiting now

This is despite the directory permissions seemingly being set correctly:

$ ls -laR /data
/data:
total 4
drwxr-xr-x.  3 mongod mongod   15 Oct  9 23:55 .
drwxr-xr-x. 18 root   root   4096 Oct 10 01:33 ..
drwxr-xr-x.  3 mongod mongod   84 Oct 10 00:01 db

/data/db:
total 81920
drwxr-xr-x. 3 mongod mongod       84 Oct 10 00:01 .
drwxr-xr-x. 3 mongod mongod       15 Oct  9 23:55 ..
-rw-r--r--. 1 mongod mongod        0 Oct  9 23:57 dummy_file
drwxr-xr-x. 2 mongod mongod        6 Oct 10 01:32 journal
-rw-------. 1 mongod mongod 67108864 Oct 10 01:31 local.0
-rw-------. 1 mongod mongod 16777216 Oct 10 01:31 local.ns
-rwxr-xr-x. 1 mongod mongod        0 Oct 10 01:32 mongod.lock

/data/db/journal:
total 0
drwxr-xr-x. 2 mongod mongod  6 Oct 10 01:32 .
drwxr-xr-x. 3 mongod mongod 84 Oct 10 00:01 ..

You can use the sealert tool to read the audit log, and you will see events triggered by mongod like so:

$ sudo sealert -a /var/log/audit/audit.log
 38% donestring index out of range
 42% done'list' object has no attribute 'split'
100% done
found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/mongod from write access on the directory .

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow mongod to have write access on the  directory
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_log_t, var_run_t.
Then execute:
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that mongod should be allowed write access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                 [ dir ]
Source                        mongod
Source Path                   /usr/bin/mongod
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           mongodb-org-server-2.6.5-1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ip-172-31-4-153.ap-southeast-2.compute.internal
Platform                      Linux ip-172-31-4-153.ap-
                              southeast-2.compute.internal 3.10.0-123.el7.x86_64
                              #1 SMP Mon May 5 11:16:57 EDT 2014 x86_64 x86_64
Alert Count                   4
First Seen                    2014-10-09 23:56:22 EDT
Last Seen                     2014-10-09 23:57:44 EDT
Local ID                      f8a4f375-aec8-4402-aa68-312055bc3fb9

Raw Audit Messages
type=AVC msg=audit(1412913464.542:300): avc:  denied  { write } for  pid=8148 comm="mongod" name="db" dev="xvda1" ino=17416775 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir


type=SYSCALL msg=audit(1412913464.542:300): arch=x86_64 syscall=open success=no exit=EACCES a0=5841458 a1=42 a2=1ff a3=7fffe78b6930 items=0 ppid=8147 pid=8148 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: mongod,mongod_t,default_t,dir,write

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/mongod from getattr access on the file .                                                                                                                                                                                                                                                                                             [0/1862]

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow mongod to have getattr access on the  file
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_lo
g_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_
tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_tmp_t, cobbler_var_log_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condo
r_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_
client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log
_t, dnsmasq_var_log_t, docker_log_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_
log_t, firewallgui_tmp_t, foghorn_var_log_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_tmp_t, gear_log_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpm_tmp_t, groupd_var_log
_t, gssd_tmp_t, haproxy_var_log_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_log_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_w3c_validator_tmp_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t
, iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_ca
che_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_
t, mdadm_tmp_t, mock_tmp_t, mongod_exec_t, mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_log_t, mpd_tmp_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tm
p_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_log_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, nscd_l
og_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenge
r_tmp_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfi
x_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, proc_t, procmail_log_t, procmail_tmp_t, psad_tmp_t, psad_v
ar_log_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_
t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_log_t, samba_net_tmp_t, sanlock_log_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shell_exec_t
, shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_a
gent_tmp_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tm
p_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tor
_var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_q
emu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vpnc_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, wireshark_tmp_t, wtmp_t, xauth_tmp_t, xdm_log_t, xdm_tmp_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_t
mp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t.
Then execute:
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that mongod should be allowed getattr access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                 [ file ]
Source                        mongod
Source Path                   /usr/bin/mongod
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           mongodb-org-server-2.6.5-1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ip-172-31-4-153.ap-southeast-2.compute.internal
Platform                      Linux ip-172-31-4-153.ap-
                              southeast-2.compute.internal 3.10.0-123.el7.x86_64
                              #1 SMP Mon May 5 11:16:57 EDT 2014 x86_64 x86_64
Alert Count                   3
First Seen                    2014-10-09 23:59:39 EDT
Last Seen                     2014-10-10 01:33:57 EDT
Local ID                      3e4518db-1ecf-4c60-a97c-f69e226b1512

Raw Audit Messages
type=AVC msg=audit(1412919237.399:35): avc:  denied  { getattr } for  pid=800 comm="mongod" path="/data/db/mongod.lock" dev="xvda1" ino=17416779 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file


type=SYSCALL msg=audit(1412919237.399:35): arch=x86_64 syscall=stat success=no exit=EACCES a0=3c65458 a1=7fffc85e9db0 a2=7fffc85e9db0 a3=7fffc85e9920 items=0 ppid=799 pid=800 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(nul
l)

Hash: mongod,mongod_t,default_t,file,getattr

If you follow the recommendations there, you can use the audit2allow tool to generate a .pp policy file that you could then apply. However, the default generated policy file appears to be very permissive (basically allow it to write anywhere - assuming your directory access controls allow you to):

$ sudo grep mongod /var/log/audit/audit.log | audit2allow


#============= mongod_t ==============
allow mongod_t default_t:dir write;
allow mongod_t default_t:file getattr;

A better approach would be to create new types and context to allow mongod to write to wherever your dbpath is set to. It may be helpful to include some basic pointers on how to do this on our RHEL installation page.

Another alternative is to re-use the mongod_var_lib_t context that we already create:

$ sudo chcon -Rv --type=mongod_var_lib_t /data
changing security context of '/data/db/dummy_file'
changing security context of '/data/db/journal'
changing security context of '/data/db/local.0'
changing security context of '/data/db/local.ns'
changing security context of '/data/db/mongod.lock'
changing security context of '/data/db'
changing security context of '/data'

The issue there is that the naming's obviously not quite right.

is related to

DOCS-5622 Add SELinux Warning to Production Notes

Closed

SERVER-17847 Change our SELinux context on RHEL from mongod_var_lib_t to mongod_dbpath_t

Closed

related to

DOCS-5665 Finesse the configure SELinux in Production Notes

Closed

Details

Description

Attachments

Issue Links

Activity

People

Dates