Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-38704

RPM Binary -- SELinux Module Denials

    • Fully Compatible
    • Linux
    • Hide

      Install MongoDB 4.0 on a RHEL7 machine using the instructions for our YUM repo.

      Ensure that SELinux is enabled and the current mode is set to enforcing:

      sestatus
      

      And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled):

      semodule -l | grep mongo 
      

      Start the MongoDB service:

      systemctl start mongod 
      

      Check the MongoDB service status (should still be running):

      systemctl status mongod
      

      Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open):

      grep -i ftdc /var/log/audit/audit.log | audit2allow -a
      

       

      Show
      Install MongoDB 4.0 on a RHEL7 machine using the instructions  for our YUM repo. Ensure that SELinux is enabled and the current mode is set to enforcing: sestatus And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled): semodule -l | grep mongo Start the MongoDB service: systemctl start mongod Check the MongoDB service status (should still be running): systemctl status mongod Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open): grep -i ftdc / var /log/audit/audit.log | audit2allow -a  
    • Security 2021-08-23, Security 2021-09-20, Security 2021-10-04

      In SERVER-31400 mongod started attempting to read netstat metrics from /proc/net and store them in FTDC. The problem is that on RHEL 7 the following is true (by default):

      1. SELinux is enabled and in enforcing mode
      2. There is an SELinux module for mongodb that is also enabled
      3. The mongodb module does not explicitly allow {open read} on /proc/net

      Because of this, mongod – when installed via our YUM repos – will fail to capture netstat data in FTDC and continually log the access violations in the audit.log:

      tail -f /var/log/audit/audit.log | grep -i ftdc | grep denied
      type=AVC msg=audit(1544632097.000:44959): avc:  denied  { read } for  pid=8171 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1544632229.000:45233): avc:  denied  { open } for  pid=8171 comm="ftdc" path="/proc/8171/net/snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
      

        1. rough-potential-patch.diff
          2 kB
        2. diag.before.tar
          40 kB
        3. diag.after.tar
          100 kB

            Assignee:
            sergey.galtsev@mongodb.com Sergey Galtsev (Inactive)
            Reporter:
            matt.lord Matt Lord (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            19 Start watching this issue

              Created:
              Updated:
              Resolved: