[SERVER-24101] MongoDB needs excecution permission on ld.so.cache and locale-archive when running on SELinux Created: 09/May/16  Updated: 26/Feb/17  Resolved: 13/May/16

Status: Closed
Project: Core Server
Component/s: Build
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Øyvind Myklatun Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-24117 Mongo binaries ELF stack has become e... Closed
Related
is related to SERVER-23863 MongoDB v3.2.5 crash due to permissio... Closed
Operating System: ALL
Steps To Reproduce:

Install mongodb 3.2.5 on RHEL7 or FEDORA with SELinux set to enforcing.

Participants:

 Description   

When trying to start mongod on RHEL 7 and FEDORA 23 with SELinux set to enforcing the following error occurs:

Fai...
Failed to start SYSV: Mongo is a scalable, document-oriented database..
– Subject: Unit mongod.service has failed
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit mongod.service has failed.

– The result is failed.
Unit mongod.service entered failed state.
mongod.service failed.
Unregistered Authentication Agent for unix-process:103456:24616645 (system bus name :1.1410, object path /org/freedesktop/PolicyK
Successfully activated service 'org.fedoraproject.Setroubleshootd'
Successfully activated service 'org.fedoraproject.Setroubleshootd'
'list' object has no attribute 'split'
setroubleshoot[103472]: Plugin Exception restorecon_source
SELinux is preventing /usr/bin/mongod from execute access on the file /etc/ld.so.cache. For complete SELinux messages.
SELinux is preventing /usr/bin/mongod from execute access on the file /etc/ld.so.cache.
Plugin catchall (100. confidence) suggests **************************
If you believe that mongod should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
grep mongod /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
SELinux is preventing /usr/bin/mongod from execute access on the file /usr/lib/locale/locale-archive. For complete SELi
SELinux is preventing /usr/bin/mongod from execute access on the file /usr/lib/locale/locale-archive.
Plugin catchall (100. confidence) suggests **************************
If you believe that mongod should be allowed execute access on the locale-archive file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
grep mongod /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp'



 Comments   
Comment by Andrew Morrow (Inactive) [ 26/Feb/17 ]

jonathan.underwood@capitalone.com - This error was believed to be caused by SERVER-24117, which has been resolved on both the 3.2 and 3.4 release streams. Can you please provide the output of running the execstack command on the mongod binary that you are attempting to run? An example run is available in the description section of SERVER-24117. If the result does not report that the mongod binary has an (unexpectedly) executable stack, then it appears that there is in fact some other cause for this issue, and we will need to re-open this ticket to investigate.

Could you also please provide the mechanism by which you obtained and installed 3.4.2 (i.e. mongodb download site, mongodb package repository, system package repository, built from source, etc.).

Comment by Jonathan Underwood [ 25/Feb/17 ]

I am seeing exactly this problem again with 3.4.2.

Comment by Ramon Fernandez Marina [ 13/May/16 ]

Thanks for taking the time to open a ticket oyvinmy. I believe this is caused by SERVER-24117, so I'm going to mark this ticket as a duplicate.

We're planning on fixing SERVER-24117 in the next stable release, 3.2.7. Until 3.2.7 is released you should be able to either use 3.2.4 or change the SELinux policy to "permissive".

Generated at Thu Feb 08 04:05:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.