Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8881

SELinux is grumpy with directory labels for mongodb

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Critical - P2 Critical - P2
    • None
    • Affects Version/s: 2.2.3
    • Component/s: Packaging, Security
    • None
    • Environment:
      fedora 18, but really anything running SELinux
    • Fully Compatible
    • Linux
    • Hide

      use 10Gen rpms with any SELinux enabled machine.

      the grumpy message from SELinux is:

      SELinux is preventing /usr/bin/mongod from write access on the
      directory /var/lib/mongo.

              • Plugin catchall_labels (83.8 confidence) suggests ********************

      If you want to allow mongod to have write access on the mongo directory
      Then you need to change the label on /var/lib/mongo
      Do

      1. semanage fcontext -a -t FILE_TYPE '/var/lib/mongo'
        where FILE_TYPE is one of the following: var_log_t, mongod_var_lib_t,
        mongod_var_run_t, var_run_t, mongod_tmp_t, mongod_log_t, tmp_t.
        Then execute:
        restorecon -v '/var/lib/mongo'
              • Plugin catchall (17.1 confidence) suggests ***************************

      If you believe that mongod should be allowed write access on the mongo
      directory by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:

      1. grep mongod /var/log/audit/audit.log | audit2allow -M mypol
      2. semodule -i mypol.pp

      Additional Information:
      Source Context system_u:system_r:mongod_t:s0
      Target Context system_u:object_r:var_lib_t:s0
      Target Objects /var/lib/mongo [ dir ]
      Source mongod
      Source Path /usr/bin/mongod
      Port <Unknown>
      Host localhost.localdomain
      Source RPM Packages mongo-10gen-server-2.2.3-mongodb_1.x86_64
      Target RPM Packages mongo-10gen-server-2.2.3-mongodb_1.x86_64
      Policy RPM selinux-policy-3.11.1-82.fc18.noarch
      Selinux Enabled True
      Policy Type targeted
      Enforcing Mode Enforcing
      Host Name localhost.localdomain
      Platform Linux localhost.localdomain 3.8.1-201.fc18.x86_64
      #1 SMP Thu Feb 28 19:23:08 UTC 2013 x86_64 x86_64
      Alert Count 7
      First Seen 2013-02-26 11:39:20 MST
      Last Seen 2013-03-06 16:13:18 MST
      Local ID 66879c9d-d862-448c-97e7-5008c61179bf

      Raw Audit Messages
      type=AVC msg=audit(1362611598.563:257): avc: denied

      { write }

      for
      pid=1191 comm="mongod" name="mongo" dev="dm-1" ino=37362
      scontext=system_u:system_r:mongod_t:s0
      tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

      type=SYSCALL msg=audit(1362611598.563:257): arch=x86_64 syscall=open
      success=no exit=EACCES a0=7f21a5f6a898 a1=42 a2=1ff a3=39fb901070
      items=0 ppid=1190 pid=1191 auid=4294967295 uid=989 gid=988 euid=989
      suid=989 fsuid=989 egid=988 sgid=988 fsgid=988 ses=4294967295
      tty=(none) comm=mongod exe=/usr/bin/mongod
      subj=system_u:system_r:mongod_t:s0 key=(null)

      Hash: mongod,mongod_t,var_lib_t,dir,write

      audit2allow

      #============= mongod_t ==============
      #!!!! The source type 'mongod_t' can write to a 'dir' of the following types:

      1. mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t,
        mongod_tmp_t, mongod_log_t, tmp_t

      allow mongod_t var_lib_t:dir write;

      audit2allow -R

      #============= mongod_t ==============
      #!!!! The source type 'mongod_t' can write to a 'dir' of the following types:

      1. mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t,
        mongod_tmp_t, mongod_log_t, tmp_t

      allow mongod_t var_lib_t:dir write;

      Show
      use 10Gen rpms with any SELinux enabled machine. the grumpy message from SELinux is: SELinux is preventing /usr/bin/mongod from write access on the directory /var/lib/mongo. Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow mongod to have write access on the mongo directory Then you need to change the label on /var/lib/mongo Do semanage fcontext -a -t FILE_TYPE '/var/lib/mongo' where FILE_TYPE is one of the following: var_log_t, mongod_var_lib_t, mongod_var_run_t, var_run_t, mongod_tmp_t, mongod_log_t, tmp_t. Then execute: restorecon -v '/var/lib/mongo' Plugin catchall (17.1 confidence) suggests *************************** If you believe that mongod should be allowed write access on the mongo directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: grep mongod /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/mongo [ dir ] Source mongod Source Path /usr/bin/mongod Port <Unknown> Host localhost.localdomain Source RPM Packages mongo-10gen-server-2.2.3-mongodb_1.x86_64 Target RPM Packages mongo-10gen-server-2.2.3-mongodb_1.x86_64 Policy RPM selinux-policy-3.11.1-82.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.8.1-201.fc18.x86_64 #1 SMP Thu Feb 28 19:23:08 UTC 2013 x86_64 x86_64 Alert Count 7 First Seen 2013-02-26 11:39:20 MST Last Seen 2013-03-06 16:13:18 MST Local ID 66879c9d-d862-448c-97e7-5008c61179bf Raw Audit Messages type=AVC msg=audit(1362611598.563:257): avc: denied { write } for pid=1191 comm="mongod" name="mongo" dev="dm-1" ino=37362 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1362611598.563:257): arch=x86_64 syscall=open success=no exit=EACCES a0=7f21a5f6a898 a1=42 a2=1ff a3=39fb901070 items=0 ppid=1190 pid=1191 auid=4294967295 uid=989 gid=988 euid=989 suid=989 fsuid=989 egid=988 sgid=988 fsgid=988 ses=4294967295 tty=(none) comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) Hash: mongod,mongod_t,var_lib_t,dir,write audit2allow #============= mongod_t ============== #!!!! The source type 'mongod_t' can write to a 'dir' of the following types: mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t, mongod_tmp_t, mongod_log_t, tmp_t allow mongod_t var_lib_t:dir write; audit2allow -R #============= mongod_t ============== #!!!! The source type 'mongod_t' can write to a 'dir' of the following types: mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t, mongod_tmp_t, mongod_log_t, tmp_t allow mongod_t var_lib_t:dir write;
    • None
    • 0
    • None
    • None
    • None
    • None
    • None
    • None

      Mongo doesn't properly label directories it would appear.

            Assignee:
            ernie.hershey@mongodb.com Ernie Hershey (Inactive)
            Reporter:
            dvlhntr whocares
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: