[SERVER-69819] SELinux denial following log rotation - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major - P3
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Operating System:
ALL
Steps To Reproduce:

Hide

kill -USR1 {PID}

Show
kill -USR1 {PID}
Sprint:
Security 2022-10-17, Security 2022-10-31, Security 2022-11-14, Security 2022-11-28, Security 2022-12-12, Security 2022-12-26, Security 2023-01-09, Security 2023-01-23, Security 2023-02-06, Security 2023-04-03

Description

Hi.

MongoDB 6.0 running on Rocky Linux 8.

We have noticed that the MongoDB server process is denied "write" access to the log file after it is rotated, as per this documentation:

https://www.mongodb.com/docs/manual/tutorial/rotate-log-files/#forcing-a-log-rotation-with-sigusr1

Restarting the mongod.service systemd unit does not produce the same denial.

It looks like the mongod process is requesting "write" access after the "kill", instead of "append", and being denied access because it has not been granted this permission.

MongoDB 5.0 running on Rocky Linux 8 is OK.

Additional information:

sudo ausearch -m avc

time->Tue Sep 20 03:46:01 2022

type=PROCTITLE msg=audit(1663641961.899:759879): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66

type=PATH msg=audit(1663641961.899:759879): item=1 name="/var/log/mongodb/mongod.log" inode=8440224 dev=fd:03 mode=0100640 ouid=993 ogid=990 rdev=00:00 obj=system_u:object_r:mongod_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1663641961.899:759879): item=0 name="/var/log/mongodb/" inode=8440193 dev=fd:03 mode=040755 ouid=993 ogid=990 rdev=00:00 obj=system_u:object_r:mongod_log_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=CWD msg=audit(1663641961.899:759879): cwd="/"

type=SYSCALL msg=audit(1663641961.899:759879): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55d9d0d28a20 a2=241 a3=1b6 items=2 ppid=1 pid=1565 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="SignalHandler" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null)

type=AVC msg=audit(1663641961.899:759879): avc:  denied  { write } for  pid=1565 comm="SignalHandler" name="mongod.log" dev="dm-3" ino=8440224 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_log_t:s0 tclass=file permissive=0

ps -ef | grep mongo

system_u:system_r:mongod_t:s0 mongod 1565 1 2 Sep15 ? 03:17:55 /usr/bin/mongod -f /etc/mongod.conf

sudo lsof -p 1565 | grep mongod.log

mongod 1565 mongod 6w REG 253,3 32082779 8440194 /var/log/mongodb/mongod.log-20220915

sudo semanage fcontext --list | grep "/var/log/mongodb"

/var/log/mongodb(/.*)?                             all files          system_u:object_r:mongod_log_t:s0

sudo sesearch --allow --source mongod_t --target mongod_log_t --class file

allow daemon logfile:file { append getattr ioctl lock };

allow domain file_type:file map; [ domain_can_mmap_files ]:True

allow mongod_t mongod_log_t:file { append create getattr ioctl lock open rename setattr };

{{}}

Attachments

Issue Links

related to

SERVER-36251 change logfile permissions.

Closed

Activity

People

Assignee:: Adam Rayner

Reporter:: INVADE International Ltd

Participants:: Adam Rayner, INVADE International Ltd, Yuan Fang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: Sep 20 2022 09:41:55 AM UTC

Updated:: Mar 03 2023 04:45:03 PM UTC