-
Type: Bug
-
Resolution: Duplicate
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Environment:MongoDB 5.0 and CentOS 7
Problem Statement/Rationale
I'm running MongoDB 5.0 on a Centos 7 virtual machine. SELinux is enabled and currently set to enforcing. SELinux is preventing Mongo from accessing multiple files and directories. As a result, /var/log/ is filling quite fast with messages. Attached, you can see my custom .te policy I put in place and compiled. This took care of most of the issues, so the fill up has been brought to a crawl, thankfully. But, as per the other screenshot, you can see that SELinux is still preventing Mongo on a couple of things, specifically /proc/<pid>/net/snmp and /proc/<pid>/net/netstat.
Steps to Reproduce
Establish a server with the same OS and version of Mongo with SELinux enabled. You should be able to see the same errors being produced in /var/log/messages
Expected Results
I would like to not have SELinux be blocking these things for Mongo any longer. I don't want /var/log/messages filling up with these types of alerts any longer.
Actual Results
/var/log/messages is filling up with SELinux alerts that are telling me that SELinux is preventing ftdc from open access on the specified files above.
Additional Notes
I'm thinking that if we added the getattr and open properties to the proc_net_t line in my .te policy file (screenshot attached), this would resolve it. But, we do not want Mongo to be able to those things, it is too permissive.
- duplicates
-
SERVER-63179 Server requires new SELinux privileges
- Closed