[DOCS-11073] Add more details about working around SELinux constraints Created: 30/Nov/17 Updated: 30/Oct/23 Resolved: 05/Jan/19 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual, Ops Manager |
| Affects Version/s: | None |
| Fix Version/s: | Server_Docs_20231030 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Nic Cottrell | Assignee: | Kay Kim (Inactive) |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
SELinux |
||
| Issue Links: |
|
||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Days since reply: | 5 years, 5 weeks, 4 days ago | ||||||||||||||||||||||||
| Epic Link: | DOCSP-1769 | ||||||||||||||||||||||||
| Story Points: | 0.2 | ||||||||||||||||||||||||
| Description |
|
We just had just problem while setting up Ops Manager at a client whose policy is to have SELinux enabled on all production environment, so disabling is not an option. We needed to have dbPath set to /db and so SELinux was blocking even though permissions were correct. The docs at https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-red-hat/#install-enterprise-rhel-configure-selinux don't reflect the required solution: sudo chcon -Rv --type=mongod_var_lib_t /<dbPath> Maybe it could be added and explained under the section on semanage port Related to: |
| Comments |
| Comment by Kay Kim (Inactive) [ 05/Jan/19 ] | ||
|
Updates about SELinux & non-default directories (done) Am planning on reorging/cleaning up the install tutorials through another ticket. | ||
| Comment by Githook User [ 05/Jan/19 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 05/Jan/19 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 05/Jan/19 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 05/Jan/19 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 05/Jan/19 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 05/Jan/19 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 22/Dec/18 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 22/Dec/18 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 22/Dec/18 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 21/Dec/18 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Githook User [ 21/Dec/18 ] | ||
|
Author: {'email': 'kay.kim@mongodb.com', 'name': 'Kay Kim'}Message: | ||
| Comment by Eric Sommer [ 20/Dec/18 ] | ||
|
Also mongod_var_run_t for the pid directory: /usr/bin/chcon -R -u system_u -t mongod_var_run_t /data/app/pid | ||
| Comment by Matt Lord (Inactive) [ 13/Dec/18 ] | ||
|
ravind.kumar, we should simply note that the same example steps used for the dbpath would be needed for any non-default directories that mongod uses (for logs, etc.). chcon/restorecon/etc. don't recurse by default, but they have recursive flags (e.g. -R). | ||
| Comment by Ravind Kumar (Inactive) [ 12/Dec/18 ] | ||
|
matt.lord are there any other file / folder permissions we should cover here while we're at it? e.g. log path directories? does the semanage command auto-recurse, eg. if a user has directoryPerDB set. | ||
| Comment by Matt Lord (Inactive) [ 20/Sep/18 ] | ||
|
I'm happy to help with this whenever you're ready to pick it back up. I agree that getting this information into the docs would be great. Changing the dbpath is very common. Just FYI, chcon makes temporary changes that would go away after a reboot. We'll want to use semanage to make permanent changes and restorecon to apply the new+correct extended file attributes on the given files. For example:
For some related context, here is how you can see the policies being applied to mongodb:
|