[SERVER-18238] Server crashes on $where : "Array.isArray(this....)" request when SELinux is enabled Created: 28/Apr/15  Updated: 28/Apr/15  Resolved: 28/Apr/15

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 2.6.9
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Oleg Schmidt Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

Regardless of the collection and the DB, the mongod service crashes or gets terminated.

The Stack Trace of the process has no information on the issue as well as MongoDB logs.

db.Collection.find( { $where : "Array.isArray(this.resources.resource)" } );

SELinux reports that it prevented mongod from using the execmem...

SELinux is preventing /usr/bin/mongod from using the 'execmem' accesses on a process.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that mongod should be allowed execmem access on processes labeled mongod_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:system_r:mongod_t:s0
Target Objects                Unknown [ process ]
Source                        mongod
Source Path                   /usr/bin/mongod
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mongodb-org-server-2.6.9-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-229.1.2.el7.x86_64 #1 SMP
                              Fri Mar 27 03:04:26 UTC 2015 x86_64 x86_64
Alert Count                   14
First Seen                    2015-04-24 16:21:08 BST
Last Seen                     2015-04-28 16:03:35 BST
Local ID                      ba73681d-8957-4859-94c2-87547ed45c1f
 
Raw Audit Messages
type=AVC msg=audit(1430233415.423:1705): avc:  denied  { execmem } for  pid=49630 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process
 
 
type=SYSCALL msg=audit(1430233415.423:1705): arch=x86_64 syscall=mmap success=no exit=EACCES a0=2359dc4b5000 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=49630 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)
 
Hash: mongod,mongod_t,mongod_t,process,execmem



 Comments   
Comment by Ramon Fernandez Marina [ 28/Apr/15 ]

olegschmidt, quoting from this link:

MongoDB indeed requires execmem rights to function unless you run the server with --noscripting or recompile with --js-engine=none. If you run the server in either of these modes, your test case will fail because your $where query requires an active Javascript engine.

Please see the documentation on running with SELinux and SERVER-12991 for more information.

I'm resolving this issue as this behavior is expected. If you disable SELinux and still have issues please feel free to reopen this ticket.

Regards,
Ramón.

Generated at Thu Feb 08 03:47:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.