SElinux Module Denials

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Duplicate
    • Priority: Major - P3
    • None
    • Affects Version/s: 4.4 Required
    • Component/s: None
    • None
    • ALL
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      Hello Team,

      One of the customer is having MongoDB Version 4.4 and needs to enable SElinux on the same. They followed the Documentation Configure Selinux and followed the required steps. 

      Under the /var/log/audit/audit.log they are getting Selinux Module Denials as below

       

      type=AVC msg=audit(1648210394.385:2054): avc:  denied  { search } for  pid=7289 comm="mongod" name="/" dev="tmpfs" ino=11016 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1648210394.385:2054): avc:  denied  { read } for  pid=7289 comm="mongod" name="memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1648210394.385:2054): avc:  denied  { open } for  pid=7289 comm="mongod" path="/sys/fs/cgroup/memory/memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1648210394.385:2055): avc:  denied  { getattr } for  pid=7289 comm="mongod" path="/sys/fs/cgroup/memory/memory.limit_in_bytes" dev="cgroup" ino=10 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1648210394.393:2056): avc:  denied  { search } for  pid=7292 comm="mongod" name="net" dev="proc" ino=402 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1648210394.393:2056): avc:  denied  { getattr } for  pid=7292 comm="mongod" path="/proc/sys/net/ipv4/tcp_fastopen" dev="proc" ino=29349 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1648210394.393:2057): avc:  denied  { read } for  pid=7292 comm="mongod" name="tcp_fastopen" dev="proc" ino=29349 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1648210394.393:2057): avc:  denied  { open } for  pid=7292 comm="mongod" path="/proc/sys/net/ipv4/tcp_fastopen" dev="proc" ino=29349 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1648210395.997:2060): avc:  denied  { read } for  pid=7292 comm="ftdc" name="netstat" dev="proc" ino=4026532050 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1648210395.997:2060): avc:  denied  { open } for  pid=7292 comm="ftdc" path="/proc/7292/net/netstat" dev="proc" ino=4026532050 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1

       

      The OS used is Amazon Linux 2. 

      We reproduced the issue with Amazon Linux 2 as base OS and used version 4.4 and also version 5.0 but still getting the same Module Denials as below

       

      [root@localhost ~]# tail -f /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1648550290.001:1723): avc:  denied  { read } for  pid=2814 comm="ftdc" name="snmp" dev="proc" ino=4026532051 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1648550290.001:1724): avc:  denied  { search } for  pid=2814 comm="ftdc" name="fs" dev="proc" ino=11840 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1648550290.001:1725): avc:  denied  { search } for  pid=2814 comm="ftdc" name="nfs" dev="sda1" ino=33951063 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1648550290.997:1726): avc:  denied  { read } for  pid=2814 comm="ftdc" name="netstat" dev="proc" ino=4026532050 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1648550290.997:1727): avc:  denied  { read } for  pid=2814 comm="ftdc" name="snmp" dev="proc" ino=4026532051 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1648550290.997:1728): avc:  denied  { search } for  pid=2814 comm="ftdc" name="fs" dev="proc" ino=11840 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1648550290.997:1729): avc:  denied  { search } for  pid=2814 comm="ftdc" name="nfs" dev="sda1" ino=33951063 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1648550292.001:1730): avc:  denied  { read } for  pid=2814 comm="ftdc" name="netstat" dev="proc" ino=4026532050 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

       

      As per server ticket SERVER38704 can we provide any workaround to the customer. 
       

      Please let me know if anything is required or needs to be tested. 

       

      Regards

      Prince

       

            Assignee:
            Unassigned
            Reporter:
            Prince Bhardwaj
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: