Server crashes on $where : "Array.isArray(this....)" request when SELinux is enabled

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Major - P3
    • None
    • Affects Version/s: 2.6.9
    • Component/s: None
    • None
    • ALL
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Regardless of the collection and the DB, the mongod service crashes or gets terminated.

      The Stack Trace of the process has no information on the issue as well as MongoDB logs. 

      db.Collection.find( { $where : "Array.isArray(this.resources.resource)" } );

      SELinux reports that it prevented mongod from using the execmem...

      SELinux is preventing /usr/bin/mongod from using the 'execmem' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed execmem access on processes labeled mongod_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:system_r:mongod_t:s0
Target Objects                Unknown [ process ]
Source                        mongod
Source Path                   /usr/bin/mongod
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mongodb-org-server-2.6.9-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-229.1.2.el7.x86_64 #1 SMP
                              Fri Mar 27 03:04:26 UTC 2015 x86_64 x86_64
Alert Count                   14
First Seen                    2015-04-24 16:21:08 BST
Last Seen                     2015-04-28 16:03:35 BST
Local ID                      ba73681d-8957-4859-94c2-87547ed45c1f

Raw Audit Messages
type=AVC msg=audit(1430233415.423:1705): avc:  denied  { execmem } for  pid=49630 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process


type=SYSCALL msg=audit(1430233415.423:1705): arch=x86_64 syscall=mmap success=no exit=EACCES a0=2359dc4b5000 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=49630 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: mongod,mongod_t,mongod_t,process,execmem

            Assignee:
            Unassigned
            Reporter:
            Oleg Schmidt
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: