Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-23863

MongoDB v3.2.5 crash due to permission denied execmem - SELinux CentOS 7

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Duplicate
    • Affects Version/s: 3.2.5
    • Fix Version/s: None
    • Component/s: Admin, Security
    • Labels:
      None
    • Operating System:
      Linux
    • Steps To Reproduce:
      Hide

      1. Fresh install of CentOS 7 Minimal
      2. Install v3.2.5 through `yum`
      3. Default `mongod.conf`
      4. Run `service start mongod`

      Show
      1. Fresh install of CentOS 7 Minimal 2. Install v3.2.5 through `yum` 3. Default `mongod.conf` 4. Run `service start mongod`
    • Sprint:
      Platforms 15 (06/03/16)

      Description

      MongoDB v3.2.5 crash due to permission denied running on CentOS 7 (Minimal) with:

      • SELinux set to enforcing mode.
      • semanage port -a -t mongod_port_t -p tcp 27017

      The setup above is one of the options described in the manual Install MongoDB RedHat: configure SELinux.

      Although setting SELINUX value to 'permissive' and 'disabled' works. Below is mongod log:

      2016-04-22T01:43:38.145-0400 F -        [main] terminate() called. An exception is active; attempting to gather more information
      2016-04-22T01:43:38.151-0400 F -        [main] std::exception::what(): Permission denied
      Actual exception type: std::system_error
       
       0x1315152 0x1314ca2 0x1ae3a26 0x1ae3a53 0x1ae3b5f 0x1b2adf0 0x1b2bd08 0x1313e3b 0x96c5a9 0x7f2f08d66b15 0x9af519
      ----- BEGIN BACKTRACE -----
      {"backtrace":[{"b":"400000","o":"F15152","s":"_ZN5mongo15printStackTraceERSo"},{"b":"400000","o":"F14CA2"},{"b":"400000","o":"16E3A26","s":"_ZN10*cxxabiv111*terminateEPFvvE"},{"b":"400000","o":"16E3A53"},{"b":"400000","o":"16E3B5F"},{"b":"400000","o":"172ADF0","s":"_ZSt20__throw_system_errori"},{"b":"400000","o":"172BD08","s":"_ZNSt6thread15_M_start_threadESt10shared_ptrINS_10_Impl_baseEE"},{"b":"400000","o":"F13E3B","s":"_ZN5mongo27startSignalProcessingThreadEv"},{"b":"400000","o":"56C5A9","s":"main"},{"b":"7F2F08D45000","o":"21B15","s":"__libc_start_main"},{"b":"400000","o":"5AF519"}],"processInfo":{ "mongodbVersion" : "3.2.5", "gitVersion" : "34e65e5383f7ea1726332cb175b73077ec4a1b02", "compiledModules" : [], "uname" : { "sysname" : "Linux", "release" : "3.10.0-229.el7.x86_64", "version" : "#1 SMP Fri Mar 6 11:36:42 UTC 2015", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000", "buildId" : "E1D27C740D288CA58F4C028925853CA7B41DD98A" }, { "b" : "7FFFB98FE000", "elf
       Type" : 3, "buildId" : "CBFB9E3C89636A82FF8DA0DBDD27455704C5A38F" }, { "b" : "7F2F0A02E000", "path" : "/lib64/libssl.so.10", "elfType" : 3, "buildId" : "478D01A08B923A251D755BB421F3EBAF9F2982C1" }, { "b" : "7F2F09C46000", "path" : "/lib64/libcrypto.so.10", "elfType" : 3, "buildId" : "6A997DC6D2CFD6702B987BF1B4926ABBA91691B8" }, { "b" : "7F2F09A3E000", "path" : "/lib64/librt.so.1", "elfType" : 3, "buildId" : "CB0D2C9F29DBD13C47E7D2EEFB94B35835698CCA" }, { "b" : "7F2F0983A000", "path" : "/lib64/libdl.so.2", "elfType" : 3, "buildId" : "091060A163E7EDA25572F3B1BAF2E8F80209C00E" }, { "b" : "7F2F09538000", "path" : "/lib64/libm.so.6", "elfType" : 3, "buildId" : "F9DF294FB70243549DCB643F1322BB20E70E9FE8" }, { "b" : "7F2F09322000", "path" : "/lib64/libgcc_s.so.1", "elfType" : 3, "buildId" : "6AA1DCC4DE7F1836344949857FC2017278631FFD" }, { "b" : "7F2F09106000", "path" : "/lib64/libpthread.so.0", "elfType" : 3, "buildId" : "723F0AC75EF88E778940AE8A8BC30141D85B116A" }, { "b" : "7F2F08D45000", "
       path" : "/lib64/libc.so.6", "elfType" : 3, "!
       buildId" : "E36C6455B21C1CB68020709A8D5466DCFD2D47F2" }, { "b" : "7F2F0A29B000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3, "buildId" : "09E1BB4D034C7263810A41100647068858A7ECB6" }, { "b" : "7F2F08AF9000", "path" : "/lib64/libgssapi_krb5.so.2", "elfType" : 3, "buildId" : "D46A230FFF4A7B808B3CFC213D31FCAC542FB504" }, { "b" : "7F2F08814000", "path" : "/lib64/libkrb5.so.3", "elfType" : 3, "buildId" : "6D6136A0E795420B05854DEF13A10C226FE9CCB2" }, { "b" : "7F2F08610000", "path" : "/lib64/libcom_err.so.2", "elfType" : 3, "buildId" : "3A1166709F88740C49E060731832E3FAD2DFB66B" }, { "b" : "7F2F083DE000", "path" : "/lib64/libk5crypto.so.3", "elfType" : 3, "buildId" : "AA97A848DD7C9E57B06EC913E10D420AEBBCE027" }, { "b" : "7F2F081C8000", "path" : "/lib64/libz.so.1", "elfType" : 3, "buildId" : "1982C8CDAE90F898D1AD26DC07E807333B4789D0" }, { "b" : "7F2F07FB9000", "path" : "/lib64/libkrb5support.so.0", "elfType" : 3, "buildId" : "AEF6C3D3C5152F339942041519A106FC055DAF71" }, { "b" : "7F
       2F07DB5000", "path" : "/lib64/libkeyutils.so.1", "elfType" : 3, "buildId" : "2E01D5AC08C1280D013AAB96B292AC58BC30A263" }, { "b" : "7F2F07B9B000", "path" : "/lib64/libresolv.so.2", "elfType" : 3, "buildId" : "6E8E8C2F494B0CB0B37B082679A701417597E5F2" }, { "b" : "7F2F07976000", "path" : "/lib64/libselinux.so.1", "elfType" : 3, "buildId" : "82FF6B18E1E42825CC2D060F969479AD4AF2F62C" }, { "b" : "7F2F07715000", "path" : "/lib64/libpcre.so.1", "elfType" : 3, "buildId" : "30FA397B01197ECABC647CBD8E75FDD5B743D730" }, { "b" : "7F2F074F0000", "path" : "/lib64/liblzma.so.5", "elfType" : 3, "buildId" : "218D03D1F6CF1A099A4D467B5E8ECF4F2BF45750" } ] }}
       mongod(_ZN5mongo15printStackTraceERSo+0x32) [0x1315152]
       mongod(+0xF14CA2) [0x1314ca2]
       mongod(_ZN10*cxxabiv111*terminateEPFvvE+0x6) [0x1ae3a26]
       mongod(+0x16E3A53) [0x1ae3a53]
       mongod(+0x16E3B5F) [0x1ae3b5f]
       mongod(_ZSt20__throw_system_errori+0x80) [0x1b2adf0]
       mongod(_ZNSt6thread15_M_start_threadESt10shared_ptrINS_10_Impl_baseEE+0x248) [0x1b2bd08]
       mongod(_ZN5mongo27startSignalProcessingThreadEv+0xBB) [0x1313e3b]
       mongod(main+0x149) [0x96c5a9]
       libc.so.6(__libc_start_main+0xF5) [0x7f2f08d66b15]
       mongod(+0x5AF519) [0x9af519]
      -----  END BACKTRACE  -----
      

      Entries of /var/log/audit/audit.log matching mongod:

      type=CRED_ACQ msg=audit(1461305956.152:383): pid=12355 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="mongod" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success'
      type=USER_START msg=audit(1461305956.152:384): pid=12355 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_unix acct="mongod" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success'
      type=AVC msg=audit(1461305956.175:385): avc:  denied  { execmem } for  pid=12359 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process
      type=SYSCALL msg=audit(1461305956.175:385): arch=c000003e syscall=9 per=400000 success=no exit=-13 a0=0 a1=801000 a2=7 a3=20022 items=0 ppid=12358 pid=12359 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="mongod" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null)
      type=ANOM_ABEND msg=audit(1461305956.183:386): auid=4294967295 uid=998 gid=997 ses=4294967295 subj=system_u:system_r:mongod_t:s0 pid=12359 comm="mongod" reason="memory violation" sig=6
      type=USER_END msg=audit(1461305956.183:387): pid=12355 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_unix acct="mongod" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success'
      type=CRED_DISP msg=audit(1461305956.183:388): pid=12355 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="mongod" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success'
      type=SERVICE_START msg=audit(1461305956.194:389): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="mongod" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
      

      It looks like permission denied on execmem. The same configuration works in v3.2.4.

      CentOS 7 minimal CentOS Linux release 7.1.1503 (Core)
      MongoDB version v3.2.5:

      db version v3.2.5
      git version: 34e65e5383f7ea1726332cb175b73077ec4a1b02
      OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
      allocator: tcmalloc
      modules: none
      build environment:
          distmod: rhel70
          distarch: x86_64
          target_arch: x86_64
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: