[SERVER-38704] RPM Binary -- SELinux Module Denials Created: 19/Dec/18 Updated: 29/Oct/23 Resolved: 28/Sep/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Packaging, Security |
| Affects Version/s: | 3.4.16, 3.6.6, 4.0.0 |
| Fix Version/s: | 5.1.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Matt Lord (Inactive) | Assignee: | Sergey Galtsev (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | RHEL, rpm, selinux, yum | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||
| Operating System: | Linux | ||||||||||||||||||||||||
| Steps To Reproduce: | Install MongoDB 4.0 on a RHEL7 machine using the instructions for our YUM repo. Ensure that SELinux is enabled and the current mode is set to enforcing:
And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled):
Start the MongoDB service:
Check the MongoDB service status (should still be running):
Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open):
|
||||||||||||||||||||||||
| Sprint: | Security 2021-08-23, Security 2021-09-20, Security 2021-10-04 | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||
| Description |
|
In
Because of this, mongod – when installed via our YUM repos – will fail to capture netstat data in FTDC and continually log the access violations in the audit.log:
|
| Comments |
| Comment by Matt Lord (Inactive) [ 04/Feb/19 ] | ||||||||||||||||||
|
The patch may get backported to RHEL 7[.7], it's now waiting on final approvals. The progress on that can be followed on the RedHat bug. | ||||||||||||||||||
| Comment by Mark Benvenuto [ 28/Dec/18 ] | ||||||||||||||||||
|
I think we need to write our own policy with a priority of > 100 and have our RPMs install on RHEL 7. We are going to continue to have this problem. RHEL and Fedora have different forks of the ref policy and they will always lag behind the official version. Actionable steps We should also test that we have the right rules. We would have to labeled some of the files and directories, run our test suites, and look for AVC. Normally, this requires starting mongod via systemd but we could support our existing test suites by adding some SELinux rules only for test purposes. To enable regular unconfined process invocation to do an SELinux transition, we would have to add SELinux rules for testing. Something like
| ||||||||||||||||||
| Comment by Matt Lord (Inactive) [ 19/Dec/18 ] | ||||||||||||||||||
|
I've submitted a PR upstream that I believe would fix the issue. If anyone has additional input/insights into the best way to address the issue, please let us know. In the meantime, you can manually adjust the system's SELinux policies for mongodb this way:
Thank you! |