[DOCS-15224] Update "Configure SELinux" instructions Created: 11/Apr/22  Updated: 25/Jan/24

Status: In Progress
Project: Documentation
Component/s: manual, Server
Affects Version/s: 4.2.0, 4.4, 5.0.0
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Major - P3
Reporter: Sergey Galtsev (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-63179 Server requires new SELinux privileges Closed
Related
related to SERVER-66475 SELinux denials on sysctl_net_t Closed
is related to SERVER-63179 Server requires new SELinux privileges Closed
Participants:
Days since reply: 4 weeks, 1 day ago
Epic Link: DOCSP-11701

 Description   

Per SERVER-63179, the following instructions need to be updated so as to not cause excessive logging in the selinux audit log:

https://www.mongodb.com/docs/v4.2/tutorial/install-mongodb-on-red-hat/#permit-access-to-netstat-for-ftdc

The code in "Create a custom policy file mongodb_proc_net.te:" section should become:

cat > mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;
 
require {
    type cgroup_t;
    type configfs_t;
    type file_type;
    type mongod_t;
    type proc_net_t;
    type sysctl_fs_t;
    type var_lib_nfs_t;
 
    class dir { search getattr };
    class file { getattr open read };
}
 
#============= mongod_t ==============
allow mongod_t cgroup_t:dir { search getattr } ;
allow mongod_t cgroup_t:file { getattr open read };
allow mongod_t configfs_t:dir getattr;
allow mongod_t file_type:dir { getattr search };
allow mongod_t file_type:file getattr;
allow mongod_t proc_net_t:file { open read };
allow mongod_t sysctl_fs_t:dir search;
allow mongod_t var_lib_nfs_t:dir search;
EOF



 Comments   
Comment by Ghulam Murtaza [ 09/Jan/24 ]

Hi Team,

It seems like the new documentation link for MongoDB 6.x does not contain this policy. Has it changed? Does it need to be backported to MongoDB 6.x documentation as well?

 

https://www.mongodb.com/docs/v6.0/tutorial/install-mongodb-enterprise-on-red-hat-tarball/#permit-access-to-netstat-for-ftdc

 

Comment by Githook User [ 20/Apr/22 ]

Author:

{'name': 'Dave', 'email': '69165704+davemungo@users.noreply.github.com', 'username': 'davemungo'}

Message: DOCS-15224 BACKPORT (#985)
Branch: v4.2
https://github.com/10gen/docs-mongodb-internal/commit/852b7e5a4ba100b225b09acbe00b5f8321352ea3

Comment by Githook User [ 20/Apr/22 ]

Author:

{'name': 'Dave', 'email': '69165704+davemungo@users.noreply.github.com', 'username': 'davemungo'}

Message: DOCS-15224 BACKPORT (#986)
Branch: v4.4
https://github.com/10gen/docs-mongodb-internal/commit/be3d4220e88398b4fde8337cc2bf08e424086eeb

Comment by Githook User [ 20/Apr/22 ]

Author:

{'name': 'Dave', 'email': '69165704+davemungo@users.noreply.github.com', 'username': 'davemungo'}

Message: DOCS-15224 update selinux policy (#979)

  • Vertical line space
  • Vertical line space
Generated at Thu Feb 08 08:12:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.