Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-38704

RPM Binary -- SELinux Module Denials

    XMLWordPrintable

    Details

    • Operating System:
      Linux
    • Steps To Reproduce:
      Hide

      Install MongoDB 4.0 on a RHEL7 machine using the instructions for our YUM repo.

      Ensure that SELinux is enabled and the current mode is set to enforcing:

      sestatus
      

      And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled):

      semodule -l | grep mongo 
      

      Start the MongoDB service:

      systemctl start mongod 
      

      Check the MongoDB service status (should still be running):

      systemctl status mongod
      

      Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open):

      grep -i ftdc /var/log/audit/audit.log | audit2allow -a
      

       

      Show
      Install MongoDB 4.0 on a RHEL7 machine using the instructions  for our YUM repo. Ensure that SELinux is enabled and the current mode is set to enforcing: sestatus And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled): semodule -l | grep mongo Start the MongoDB service: systemctl start mongod Check the MongoDB service status (should still be running): systemctl status mongod Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open): grep -i ftdc /var/log/audit/audit.log | audit2allow -a  

      Description

      In SERVER-31400 mongod started attempting to read netstat metrics from /proc/net and store them in FTDC. The problem is that on RHEL 7 the following is true (by default):

      1. SELinux is enabled and in enforcing mode
      2. There is an SELinux module for mongodb that is also enabled
      3. The mongodb module does not explicitly allow {open read} on /proc/net

      Because of this, mongod – when installed via our YUM repos – will fail to capture netstat data in FTDC and continually log the access violations in the audit.log:

      tail -f /var/log/audit/audit.log | grep -i ftdc | grep denied
      type=AVC msg=audit(1544632097.000:44959): avc:  denied  { read } for  pid=8171 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1544632229.000:45233): avc:  denied  { open } for  pid=8171 comm="ftdc" path="/proc/8171/net/snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
      

        Attachments

        1. diag.after.tar
          100 kB
        2. diag.before.tar
          40 kB
        3. rough-potential-patch.diff
          2 kB

          Issue Links

            Activity

              People

              Assignee:
              backlog-server-build Backlog - Build Team
              Reporter:
              matt.lord Matt Lord
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

                Dates

                Created:
                Updated: