[SERVER-38704] RPM Binary -- SELinux Module Denials Created: 19/Dec/18  Updated: 29/Oct/23  Resolved: 28/Sep/21

Status: Closed
Project: Core Server
Component/s: Packaging, Security
Affects Version/s: 3.4.16, 3.6.6, 4.0.0
Fix Version/s: 5.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Matt Lord (Inactive) Assignee: Sergey Galtsev (Inactive)
Resolution: Fixed Votes: 0
Labels: RHEL, rpm, selinux, yum
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File diag.after.tar     File diag.before.tar     File rough-potential-patch.diff    
Issue Links:
Depends
depends on SERVER-56544 SELINUX: create a code patch, post fo... Closed
Problem/Incident
is caused by SERVER-31400 Record Linux netstat metrics in ftdc Closed
Related
is related to DOCS-11073 Add more details about working around... Closed
Backwards Compatibility: Fully Compatible
Operating System: Linux
Steps To Reproduce:

Install MongoDB 4.0 on a RHEL7 machine using the instructions for our YUM repo.

Ensure that SELinux is enabled and the current mode is set to enforcing:

sestatus

And that SELinux is enforcing a mongodb module specifically (listed and not explicitly noted as Disabled):

semodule -l | grep mongo 

Start the MongoDB service:

systemctl start mongod 

Check the MongoDB service status (should still be running):

systemctl status mongod

Examine the failures and the suggested remedy (may require 2 iterations using audit2allow, 1 for read and one for open):

grep -i ftdc /var/log/audit/audit.log | audit2allow -a

 

Sprint: Security 2021-08-23, Security 2021-09-20, Security 2021-10-04
Participants:
Case:

 Description   

In SERVER-31400 mongod started attempting to read netstat metrics from /proc/net and store them in FTDC. The problem is that on RHEL 7 the following is true (by default):

  1. SELinux is enabled and in enforcing mode
  2. There is an SELinux module for mongodb that is also enabled
  3. The mongodb module does not explicitly allow {open read} on /proc/net

Because of this, mongod – when installed via our YUM repos – will fail to capture netstat data in FTDC and continually log the access violations in the audit.log:

tail -f /var/log/audit/audit.log | grep -i ftdc | grep denied
type=AVC msg=audit(1544632097.000:44959): avc:  denied  { read } for  pid=8171 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1544632229.000:45233): avc:  denied  { open } for  pid=8171 comm="ftdc" path="/proc/8171/net/snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0



 Comments   
Comment by Matt Lord (Inactive) [ 04/Feb/19 ]

The patch may get backported to RHEL 7[.7], it's now waiting on final approvals. The progress on that can be followed on the RedHat bug

Comment by Mark Benvenuto [ 28/Dec/18 ]

I think we need to write our own policy with a priority of > 100 and have our RPMs install on RHEL 7. We are going to continue to have this problem. RHEL and Fedora have different forks of the ref policy and they will always lag behind the official version.

Actionable steps
1. Fork a policy from the ref policy and ensure it works on RHEL 7. This is important for Enterprise where we have AVC failures with ldap and snmp from my ad-hoc testing yesterday.
Docs: https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Examples from Fedora: https://src.fedoraproject.org/rpms/fts/tree/master, https://src.fedoraproject.org/rpms/ceph/blob/master/f/ceph.spec
Fedora has patched it to work with newer versions of mongodb but it does not account for enterprise.
2. Update ref policy - https://github.com/SELinuxProject/refpolicy. This is a nice to have since there is considerable lag until it lags in other places

We should also test that we have the right rules. We would have to labeled some of the files and directories, run our test suites, and look for AVC.

Normally, this requires starting mongod via systemd but we could support our existing test suites by adding some SELinux rules only for test purposes.

To enable regular unconfined process invocation to do an SELinux transition, we would have to add SELinux rules for testing. Something like

module mongodb_test 1.0;
 
require {
 type mongod_exec_t;
 type mongod_t;
 type unconfined_t;
 role unconfined_r;
 class process transition;
 }
 role unconfined_r types mongod_t;
 
allow unconfined_t mongod_exec_t:process transition;
 # Make the type transition from unconfined_t (i.e. user shell) to mongod_t
 type_transition unconfined_t mongod_exec_t : process mongod_t;
 
 # Explicitly allow the type transition we have just created
 allow unconfined_t mongod_t : process transition ;
 

Comment by Matt Lord (Inactive) [ 19/Dec/18 ]

I've submitted a PR upstream that I believe would fix the issue. If anyone has additional input/insights into the best way to address the issue, please let us know. 

In the meantime, you can manually adjust the system's SELinux policies for mongodb this way:

cat > mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;
 
require {
    type proc_net_t;
    type mongod_t;
    class file { open read };
}
 
#============= mongod_t ==============
allow mongod_t proc_net_t:file { open read };
EOF
 
checkmodule -M -m -o mongodb_proc_net.mod mongodb_proc_net.te
semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod
semodule -i mongodb_proc_net.pp

Thank you!

Generated at Thu Feb 08 04:49:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.