Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-63179

Server requires new SELinux privileges

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 4.2.18
    • Component/s: None
    • None
    • ALL
    • Hide
      1. Create a CentOS7 server with selinux set to enforcing
      2. Install MongoDB server 4.2.17, following the installation instructions to modify selinux policies
      3. Start MongoDB server
      4. Observe that there are no unusual selinux messages
      5. Upgrade MongoDB server to 4.2.18
      6. Observe that any item which shows up in /etc/mtab is triggering a selinux deny, attributed to ftdc.
      Show
      Create a CentOS7 server with selinux set to enforcing Install MongoDB server 4.2.17, following the installation instructions to modify selinux policies Start MongoDB server Observe that there are no unusual selinux messages Upgrade MongoDB server to 4.2.18 Observe that any item which shows up in /etc/mtab is triggering a selinux deny, attributed to ftdc.
    • Security 2022-02-21, Security 2022-03-07, Security 2022-04-18

      During our project's upgrade from mongodb-org-server-4.2.17-1.el7.x86_64 to mongodb-org-server-4.2.18-1.el7.x86_64, we observed a flood of selinux messages related to FTDC.  It appears that FTDC is scanning all mounted volumes, cgroups, etc, and the selinux policy recommended in the MongoDB documentation does not grant enough privileges to facilitate that process.

       

      Here is one avc deny from a CentOS7 box:

      node=<hostname> type=AVC msg=audit(1643730988.007:62064): avc:  denied  { getattr } for  pid=1309 comm="ftdc" path="/mnt/software" dev="0:42" ino=3267542206855034467 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0

node=<hostname> type=SYSCALL msg=audit(1643730988.007:62064): arch=c000003e syscall=4 success=no exit=-13 a0=7fe2dd99f1b0 a1=7fe2dd99eee0 a2=7fe2dd99eee0 a3=0 items=1 ppid=1 pid=1309 auid=4294967295 uid=995 gid=991 euid=995 suid=995 fsuid=995 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="ftdc" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null)

node=<hostname> type=CWD msg=audit(1643730988.007:62064):  cwd="/"

node=<hostname> type=PATH msg=audit(1643730988.007:62064): item=0 name="/mnt/software" inode=3267542206855034467 dev=00:2a mode=040777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:nfs_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

node=<hostname> type=PROCTITLE msg=audit(1643730988.007:62064): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66

       

      I was able to work around this issue by granting additional privileges:

       gen_require(`
        type proc_net_t;
+       type configfs_t;
+       type file_type;
-        class dir search;
+        class dir { search getattr };
        class file { getattr open read write};
 ')
# Permits mongod_t to access /proc/net/snmp
 allow mongod_t proc_net_t:file { open read };

 # Permits mongod_t to access /sys/fs/cgroup/memory/memory.limit_in_bytes
-allow mongod_t cgroup_t:dir search;
+allow mongod_t cgroup_t:dir { search getattr } ;
 allow mongod_t cgroup_t:file { getattr open read };

+# Permits mongod_t to get mounted directory information, for disk utilization monitoring
+allow mongod_t file_type:file getattr;
+allow mongod_t file_type:dir { getattr search };
+allow mongod_t configfs_t:dir getattr;

       

      I suspect that SERVER-28953 created this situation, and am unsure if the proper way to rectify it is to modify the MongoDB documentation to allow for the additional privileges, or to change the new capabilities of FTDC.

       

            Assignee:
            sergey.galtsev@mongodb.com Sergey Galtsev (Inactive)
            Reporter:
            kevyn.weiner@gdit.com Kevyn Weiner
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: