Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 5.1.0-rc0
Affects Version/s: 3.4.16, 3.6.6, 4.0.0
Component/s: Packaging, Security
Labels:
- RHEL
- rpm
- selinux
- yum

Backwards Compatibility:
Fully Compatible
Operating System:
Linux
Steps To Reproduce:
Hide

Install MongoDB 4.0 on a RHEL7 machine using the instructions for our YUM repo.

Ensure that SELinux is enabled and the current mode is set to enforcing:

sestatus

And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled):

semodule -l | grep mongo

Start the MongoDB service:

systemctl start mongod

Check the MongoDB service status (should still be running):

systemctl status mongod

Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open):

grep -i ftdc /var/log/audit/audit.log | audit2allow -a
Show
Install MongoDB 4.0 on a RHEL7 machine using the instructions for our YUM repo. Ensure that SELinux is enabled and the current mode is set to enforcing: sestatus And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled): semodule -l | grep mongo Start the MongoDB service: systemctl start mongod Check the MongoDB service status (should still be running): systemctl status mongod Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open): grep -i ftdc / var /log/audit/audit.log | audit2allow -a
Sprint:
Security 2021-08-23, Security 2021-09-20, Security 2021-10-04
Case:

In ~~SERVER-31400~~ mongod started attempting to read netstat metrics from /proc/net and store them in FTDC. The problem is that on RHEL 7 the following is true (by default):

SELinux is enabled and in enforcing mode
There is an SELinux module for mongodb that is also enabled
The mongodb module does not explicitly allow {open read} on /proc/net

Because of this, mongod – when installed via our YUM repos – will fail to capture netstat data in FTDC and continually log the access violations in the audit.log:

tail -f /var/log/audit/audit.log | grep -i ftdc | grep denied
type=AVC msg=audit(1544632097.000:44959): avc:  denied  { read } for  pid=8171 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1544632229.000:45233): avc:  denied  { open } for  pid=8171 comm="ftdc" path="/proc/8171/net/snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

diag.after.tar
100 kB
Dec 19 2018 08:54:48 PM UTC
diag.before.tar
40 kB
Dec 19 2018 08:54:48 PM UTC
rough-potential-patch.diff
2 kB
Jan 05 2019 07:13:27 AM UTC

depends on

SERVER-56544 SELINUX: create a code patch, post for review; address the CR comments, get approval and merge

Closed

is caused by

SERVER-31400 Record Linux netstat metrics in ftdc

Closed

is related to

DOCS-11073 Add more details about working around SELinux constraints

Closed

links to

Proposed upstream patch

RedHat 7 Backport Request

Assignee:: Sergey Galtsev (Inactive)

Reporter:: Matt Lord (Inactive)

Participants:: Mark Benvenuto, Matt Lord, Sergey Galtsev

Votes:: 0 Vote for this issue

Watchers:: 19 Start watching this issue

Created:: Dec 19 2018 03:57:38 PM UTC

Updated:: Oct 29 2023 10:25:34 PM UTC

Resolved:: Sep 28 2021 11:37:38 PM UTC

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates