-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: manual
-
Labels:None
-
Environment:RHEL 7.0 with non-default MongoDB dbpath
By default, the SELinux policies on RHEL 7.0 do not seem to allow mongod to write to a non-default path.
If you try to change the dbpath for MongoDB - e.g. to /data/db, you will get an error from mongod like:
2014-10-10T00:00:18.883-0400 [initandlisten] MongoDB starting : pid=8257 port=27017 dbpath=/data/db 64-bit host=ip-172-31-4-153.ap-southeast-2.compute.internal 2014-10-10T00:00:18.883-0400 [initandlisten] db version v2.6.5 2014-10-10T00:00:18.883-0400 [initandlisten] git version: e99d4fcb4279c0279796f237aa92fe3b64560bf6 2014-10-10T00:00:18.883-0400 [initandlisten] build info: Linux build8.nj1.10gen.cc 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Jan 3 21:39:27 UTC 2014 x86_64 BOOST_LIB_VERSION=1_49 2014-10-10T00:00:18.883-0400 [initandlisten] allocator: tcmalloc 2014-10-10T00:00:18.883-0400 [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1" }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, storage: { dbPath: "/data/db" }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } } 2014-10-10T00:00:18.883-0400 [initandlisten] exception in initAndListen std::exception: boost::filesystem::status: Permission denied: "/data/db/mongod.lock", terminating 2014-10-10T00:00:18.883-0400 [initandlisten] dbexit: 2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to close listening sockets... 2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to flush diaglog... 2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to close sockets... 2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: waiting for fs preallocator... 2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: lock for final commit... 2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: final commit... 2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: closing all files... 2014-10-10T00:00:18.883-0400 [initandlisten] closeAllFiles() finished 2014-10-10T00:00:18.883-0400 [initandlisten] dbexit: really exiting now
This is despite the directory permissions seemingly being set correctly:
$ ls -laR /data /data: total 4 drwxr-xr-x. 3 mongod mongod 15 Oct 9 23:55 . drwxr-xr-x. 18 root root 4096 Oct 10 01:33 .. drwxr-xr-x. 3 mongod mongod 84 Oct 10 00:01 db /data/db: total 81920 drwxr-xr-x. 3 mongod mongod 84 Oct 10 00:01 . drwxr-xr-x. 3 mongod mongod 15 Oct 9 23:55 .. -rw-r--r--. 1 mongod mongod 0 Oct 9 23:57 dummy_file drwxr-xr-x. 2 mongod mongod 6 Oct 10 01:32 journal -rw-------. 1 mongod mongod 67108864 Oct 10 01:31 local.0 -rw-------. 1 mongod mongod 16777216 Oct 10 01:31 local.ns -rwxr-xr-x. 1 mongod mongod 0 Oct 10 01:32 mongod.lock /data/db/journal: total 0 drwxr-xr-x. 2 mongod mongod 6 Oct 10 01:32 . drwxr-xr-x. 3 mongod mongod 84 Oct 10 00:01 ..
You can use the sealert tool to read the audit log, and you will see events triggered by mongod like so:
$ sudo sealert -a /var/log/audit/audit.log 38% donestring index out of range 42% done'list' object has no attribute 'split' 100% done found 2 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/mongod from write access on the directory . ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow mongod to have write access on the directory Then you need to change the label on $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_log_t, var_run_t. Then execute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that mongod should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mongod /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context unconfined_u:object_r:default_t:s0 Target Objects [ dir ] Source mongod Source Path /usr/bin/mongod Port <Unknown> Host <Unknown> Source RPM Packages mongodb-org-server-2.6.5-1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ip-172-31-4-153.ap-southeast-2.compute.internal Platform Linux ip-172-31-4-153.ap- southeast-2.compute.internal 3.10.0-123.el7.x86_64 #1 SMP Mon May 5 11:16:57 EDT 2014 x86_64 x86_64 Alert Count 4 First Seen 2014-10-09 23:56:22 EDT Last Seen 2014-10-09 23:57:44 EDT Local ID f8a4f375-aec8-4402-aa68-312055bc3fb9 Raw Audit Messages type=AVC msg=audit(1412913464.542:300): avc: denied { write } for pid=8148 comm="mongod" name="db" dev="xvda1" ino=17416775 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=SYSCALL msg=audit(1412913464.542:300): arch=x86_64 syscall=open success=no exit=EACCES a0=5841458 a1=42 a2=1ff a3=7fffe78b6930 items=0 ppid=8147 pid=8148 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) Hash: mongod,mongod_t,default_t,dir,write -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/mongod from getattr access on the file . [0/1862] ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow mongod to have getattr access on the file Then you need to change the label on $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_lo g_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_ tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_tmp_t, cobbler_var_log_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condo r_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_ client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log _t, dnsmasq_var_log_t, docker_log_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_ log_t, firewallgui_tmp_t, foghorn_var_log_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_tmp_t, gear_log_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpm_tmp_t, groupd_var_log _t, gssd_tmp_t, haproxy_var_log_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_log_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_w3c_validator_tmp_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t , iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_ca che_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_ t, mdadm_tmp_t, mock_tmp_t, mongod_exec_t, mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_log_t, mpd_tmp_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tm p_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_log_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, nscd_l og_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenge r_tmp_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfi x_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, proc_t, procmail_log_t, procmail_tmp_t, psad_tmp_t, psad_v ar_log_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_ t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_log_t, samba_net_tmp_t, sanlock_log_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shell_exec_t , shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_a gent_tmp_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tm p_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tor _var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_q emu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vpnc_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, wireshark_tmp_t, wtmp_t, xauth_tmp_t, xdm_log_t, xdm_tmp_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_t mp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t. Then execute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that mongod should be allowed getattr access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mongod /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context unconfined_u:object_r:default_t:s0 Target Objects [ file ] Source mongod Source Path /usr/bin/mongod Port <Unknown> Host <Unknown> Source RPM Packages mongodb-org-server-2.6.5-1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ip-172-31-4-153.ap-southeast-2.compute.internal Platform Linux ip-172-31-4-153.ap- southeast-2.compute.internal 3.10.0-123.el7.x86_64 #1 SMP Mon May 5 11:16:57 EDT 2014 x86_64 x86_64 Alert Count 3 First Seen 2014-10-09 23:59:39 EDT Last Seen 2014-10-10 01:33:57 EDT Local ID 3e4518db-1ecf-4c60-a97c-f69e226b1512 Raw Audit Messages type=AVC msg=audit(1412919237.399:35): avc: denied { getattr } for pid=800 comm="mongod" path="/data/db/mongod.lock" dev="xvda1" ino=17416779 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file type=SYSCALL msg=audit(1412919237.399:35): arch=x86_64 syscall=stat success=no exit=EACCES a0=3c65458 a1=7fffc85e9db0 a2=7fffc85e9db0 a3=7fffc85e9920 items=0 ppid=799 pid=800 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(nul l) Hash: mongod,mongod_t,default_t,file,getattr
If you follow the recommendations there, you can use the audit2allow tool to generate a .pp policy file that you could then apply. However, the default generated policy file appears to be very permissive (basically allow it to write anywhere - assuming your directory access controls allow you to):
$ sudo grep mongod /var/log/audit/audit.log | audit2allow
#============= mongod_t ==============
allow mongod_t default_t:dir write;
allow mongod_t default_t:file getattr;
A better approach would be to create new types and context to allow mongod to write to wherever your dbpath is set to. It may be helpful to include some basic pointers on how to do this on our RHEL installation page.
Another alternative is to re-use the mongod_var_lib_t context that we already create:
$ sudo chcon -Rv --type=mongod_var_lib_t /data changing security context of '/data/db/dummy_file' changing security context of '/data/db/journal' changing security context of '/data/db/local.0' changing security context of '/data/db/local.ns' changing security context of '/data/db/mongod.lock' changing security context of '/data/db' changing security context of '/data'
The issue there is that the naming's obviously not quite right.
- is related to
-
DOCS-5622 Add SELinux Warning to Production Notes
- Closed
-
SERVER-17847 Change our SELinux context on RHEL from mongod_var_lib_t to mongod_dbpath_t
- Closed
- related to
-
DOCS-5665 Finesse the configure SELinux in Production Notes
- Closed