|
By default, the SELinux policies on RHEL 7.0 do not seem to allow mongod to write to a non-default path.
If you try to change the dbpath for MongoDB - e.g. to /data/db, you will get an error from mongod like:
2014-10-10T00:00:18.883-0400 [initandlisten] MongoDB starting : pid=8257 port=27017 dbpath=/data/db 64-bit host=ip-172-31-4-153.ap-southeast-2.compute.internal
|
2014-10-10T00:00:18.883-0400 [initandlisten] db version v2.6.5
|
2014-10-10T00:00:18.883-0400 [initandlisten] git version: e99d4fcb4279c0279796f237aa92fe3b64560bf6
|
2014-10-10T00:00:18.883-0400 [initandlisten] build info: Linux build8.nj1.10gen.cc 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Jan 3 21:39:27 UTC 2014 x86_64 BOOST_LIB_VERSION=1_49
|
2014-10-10T00:00:18.883-0400 [initandlisten] allocator: tcmalloc
|
2014-10-10T00:00:18.883-0400 [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1" }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, storage: { dbPath: "/data/db" }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
|
2014-10-10T00:00:18.883-0400 [initandlisten] exception in initAndListen std::exception: boost::filesystem::status: Permission denied: "/data/db/mongod.lock", terminating
|
2014-10-10T00:00:18.883-0400 [initandlisten] dbexit:
|
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to close listening sockets...
|
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to flush diaglog...
|
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: going to close sockets...
|
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: waiting for fs preallocator...
|
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: lock for final commit...
|
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: final commit...
|
2014-10-10T00:00:18.883-0400 [initandlisten] shutdown: closing all files...
|
2014-10-10T00:00:18.883-0400 [initandlisten] closeAllFiles() finished
|
2014-10-10T00:00:18.883-0400 [initandlisten] dbexit: really exiting now
|
This is despite the directory permissions seemingly being set correctly:
$ ls -laR /data
|
/data:
|
total 4
|
drwxr-xr-x. 3 mongod mongod 15 Oct 9 23:55 .
|
drwxr-xr-x. 18 root root 4096 Oct 10 01:33 ..
|
drwxr-xr-x. 3 mongod mongod 84 Oct 10 00:01 db
|
|
/data/db:
|
total 81920
|
drwxr-xr-x. 3 mongod mongod 84 Oct 10 00:01 .
|
drwxr-xr-x. 3 mongod mongod 15 Oct 9 23:55 ..
|
-rw-r--r--. 1 mongod mongod 0 Oct 9 23:57 dummy_file
|
drwxr-xr-x. 2 mongod mongod 6 Oct 10 01:32 journal
|
-rw-------. 1 mongod mongod 67108864 Oct 10 01:31 local.0
|
-rw-------. 1 mongod mongod 16777216 Oct 10 01:31 local.ns
|
-rwxr-xr-x. 1 mongod mongod 0 Oct 10 01:32 mongod.lock
|
|
/data/db/journal:
|
total 0
|
drwxr-xr-x. 2 mongod mongod 6 Oct 10 01:32 .
|
drwxr-xr-x. 3 mongod mongod 84 Oct 10 00:01 ..
|
You can use the sealert tool to read the audit log, and you will see events triggered by mongod like so:
$ sudo sealert -a /var/log/audit/audit.log
|
38% donestring index out of range
|
42% done'list' object has no attribute 'split'
|
100% done
|
found 2 alerts in /var/log/audit/audit.log
|
--------------------------------------------------------------------------------
|
|
SELinux is preventing /usr/bin/mongod from write access on the directory .
|
|
***** Plugin catchall_labels (83.8 confidence) suggests *******************
|
|
If you want to allow mongod to have write access on the directory
|
Then you need to change the label on $FIX_TARGET_PATH
|
Do
|
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
|
where FILE_TYPE is one of the following: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_log_t, var_run_t.
|
Then execute:
|
restorecon -v '$FIX_TARGET_PATH'
|
|
|
***** Plugin catchall (17.1 confidence) suggests **************************
|
|
If you believe that mongod should be allowed write access on the directory by default.
|
Then you should report this as a bug.
|
You can generate a local policy module to allow this access.
|
Do
|
allow this access for now by executing:
|
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
|
# semodule -i mypol.pp
|
|
|
Additional Information:
|
Source Context system_u:system_r:mongod_t:s0
|
Target Context unconfined_u:object_r:default_t:s0
|
Target Objects [ dir ]
|
Source mongod
|
Source Path /usr/bin/mongod
|
Port <Unknown>
|
Host <Unknown>
|
Source RPM Packages mongodb-org-server-2.6.5-1.x86_64
|
Target RPM Packages
|
Policy RPM selinux-policy-3.12.1-153.el7.noarch
|
Selinux Enabled True
|
Policy Type targeted
|
Enforcing Mode Enforcing
|
Host Name ip-172-31-4-153.ap-southeast-2.compute.internal
|
Platform Linux ip-172-31-4-153.ap-
|
southeast-2.compute.internal 3.10.0-123.el7.x86_64
|
#1 SMP Mon May 5 11:16:57 EDT 2014 x86_64 x86_64
|
Alert Count 4
|
First Seen 2014-10-09 23:56:22 EDT
|
Last Seen 2014-10-09 23:57:44 EDT
|
Local ID f8a4f375-aec8-4402-aa68-312055bc3fb9
|
|
Raw Audit Messages
|
type=AVC msg=audit(1412913464.542:300): avc: denied { write } for pid=8148 comm="mongod" name="db" dev="xvda1" ino=17416775 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
|
|
|
type=SYSCALL msg=audit(1412913464.542:300): arch=x86_64 syscall=open success=no exit=EACCES a0=5841458 a1=42 a2=1ff a3=7fffe78b6930 items=0 ppid=8147 pid=8148 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)
|
|
Hash: mongod,mongod_t,default_t,dir,write
|
|
--------------------------------------------------------------------------------
|
|
SELinux is preventing /usr/bin/mongod from getattr access on the file . [0/1862]
|
|
***** Plugin catchall_labels (83.8 confidence) suggests *******************
|
|
If you want to allow mongod to have getattr access on the file
|
Then you need to change the label on $FIX_TARGET_PATH
|
Do
|
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
|
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_lo
|
g_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_
|
tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_tmp_t, cobbler_var_log_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condo
|
r_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_
|
client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log
|
_t, dnsmasq_var_log_t, docker_log_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_
|
log_t, firewallgui_tmp_t, foghorn_var_log_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, gconf_tmp_t, gear_log_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpm_tmp_t, groupd_var_log
|
_t, gssd_tmp_t, haproxy_var_log_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_log_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_w3c_validator_tmp_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t
|
, iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_ca
|
che_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_
|
t, mdadm_tmp_t, mock_tmp_t, mongod_exec_t, mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_log_t, mpd_tmp_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tm
|
p_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_log_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, nscd_l
|
og_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenge
|
r_tmp_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfi
|
x_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, proc_t, procmail_log_t, procmail_tmp_t, psad_tmp_t, psad_v
|
ar_log_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_
|
t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_log_t, samba_net_tmp_t, sanlock_log_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shell_exec_t
|
, shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_a
|
gent_tmp_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tm
|
p_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tor
|
_var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_q
|
emu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vpnc_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, wireshark_tmp_t, wtmp_t, xauth_tmp_t, xdm_log_t, xdm_tmp_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_t
|
mp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t.
|
Then execute:
|
restorecon -v '$FIX_TARGET_PATH'
|
|
|
***** Plugin catchall (17.1 confidence) suggests **************************
|
|
If you believe that mongod should be allowed getattr access on the file by default.
|
Then you should report this as a bug.
|
You can generate a local policy module to allow this access.
|
Do
|
allow this access for now by executing:
|
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
|
# semodule -i mypol.pp
|
|
|
Additional Information:
|
Source Context system_u:system_r:mongod_t:s0
|
Target Context unconfined_u:object_r:default_t:s0
|
Target Objects [ file ]
|
Source mongod
|
Source Path /usr/bin/mongod
|
Port <Unknown>
|
Host <Unknown>
|
Source RPM Packages mongodb-org-server-2.6.5-1.x86_64
|
Target RPM Packages
|
Policy RPM selinux-policy-3.12.1-153.el7.noarch
|
Selinux Enabled True
|
Policy Type targeted
|
Enforcing Mode Enforcing
|
Host Name ip-172-31-4-153.ap-southeast-2.compute.internal
|
Platform Linux ip-172-31-4-153.ap-
|
southeast-2.compute.internal 3.10.0-123.el7.x86_64
|
#1 SMP Mon May 5 11:16:57 EDT 2014 x86_64 x86_64
|
Alert Count 3
|
First Seen 2014-10-09 23:59:39 EDT
|
Last Seen 2014-10-10 01:33:57 EDT
|
Local ID 3e4518db-1ecf-4c60-a97c-f69e226b1512
|
|
Raw Audit Messages
|
type=AVC msg=audit(1412919237.399:35): avc: denied { getattr } for pid=800 comm="mongod" path="/data/db/mongod.lock" dev="xvda1" ino=17416779 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
|
|
|
type=SYSCALL msg=audit(1412919237.399:35): arch=x86_64 syscall=stat success=no exit=EACCES a0=3c65458 a1=7fffc85e9db0 a2=7fffc85e9db0 a3=7fffc85e9920 items=0 ppid=799 pid=800 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(nul
|
l)
|
|
Hash: mongod,mongod_t,default_t,file,getattr
|
If you follow the recommendations there, you can use the audit2allow tool to generate a .pp policy file that you could then apply. However, the default generated policy file appears to be very permissive (basically allow it to write anywhere - assuming your directory access controls allow you to):
$ sudo grep mongod /var/log/audit/audit.log | audit2allow
|
|
|
#============= mongod_t ==============
|
allow mongod_t default_t:dir write;
|
allow mongod_t default_t:file getattr;
|
A better approach would be to create new types and context to allow mongod to write to wherever your dbpath is set to. It may be helpful to include some basic pointers on how to do this on our RHEL installation page.
Another alternative is to re-use the mongod_var_lib_t context that we already create:
$ sudo chcon -Rv --type=mongod_var_lib_t /data
|
changing security context of '/data/db/dummy_file'
|
changing security context of '/data/db/journal'
|
changing security context of '/data/db/local.0'
|
changing security context of '/data/db/local.ns'
|
changing security context of '/data/db/mongod.lock'
|
changing security context of '/data/db'
|
changing security context of '/data'
|
The issue there is that the naming's obviously not quite right.
|