[SERVER-53177] SELinux is preventing /usr/bin/mongod from search access on the directory net. Created: 02/Dec/20 Updated: 10/Mar/23 Resolved: 20/Jan/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | JavaScript |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Aneesh Reghu | Assignee: | Jonathan Streets (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Description |
|
SELinux is preventing /usr/bin/mongod from search access on the directory net. I have followed the installation steps https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/ [root@xxxxxxxxx]# semodule -l | grep mongo OS:- Centos 7.9
I saw one guy opened a same bug in RedHat also https://bugzilla.redhat.com/show_bug.cgi?id=1884810
-------------------------------------------------------------------------------- SELinux is preventing /usr/bin/mongod from search access on the directory net.
If you believe that mongod should be allowed search access on the net directory by default.
Additional Information: Raw Audit Messages type=SYSCALL msg=audit(1606832639.771:108): arch=x86_64 syscall=stat success=no exit=EACCES a0=55f2684e18e0 a1=7ffca39f3c70 a2=7ffca39f3c70 a3=79732f636f72702f items=0 ppid=1670 pid=1674 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) Hash: mongod,mongod_t,sysctl_net_t,dir,search
|
| Comments |
| Comment by Jonathan Streets (Inactive) [ 09/Feb/21 ] | ||||||||||||||
|
Thank-you for the extra information. I've passed it along to the Documentation Team. | ||||||||||||||
| Comment by INVADE International Ltd [ 09/Feb/21 ] | ||||||||||||||
|
Hi. I see this issue is closed but I've just hit the same problem with MongoDB 4.4 on CentOS 8. After adding the rule for:
I also got a number of other denials logged. To stop all the denials being logged, I ended up with the following:
I'm not sure if these rules should be included in the selinux-policy packaged detailed in: or if they should be added to the MongoDB documentation: I would imagine it's the latter. I can't see the previous info in the documentation yet so, if the additional rules I've detailed are also required, could they also be included in the documentation. Thanks.
| ||||||||||||||
| Comment by Aneesh Reghu [ 13/Jan/21 ] | ||||||||||||||
|
Hi Jonathan Streets, I have run that commands. now it's working fine. | ||||||||||||||
| Comment by Jonathan Streets (Inactive) [ 14/Dec/20 ] | ||||||||||||||
|
Hi aneesh.reghu@gmail.com, I looked at the redhat bugzilla report and found the reproducer using setroubleshoot. I found that running the commands in your description adds the search exception to mongod for SElinux:
I have opened an internal DOCS ticket to get the instructions updated. Does this fix the issue for you as well? | ||||||||||||||
| Comment by Aneesh Reghu [ 14/Dec/20 ] | ||||||||||||||
|
Hi Jonathan, Thanks for the reply. I'm using the default mongo directory. id didn't the default data directory.
ls -lZ /var/lib/mongo/ | ||||||||||||||
| Comment by Jonathan Streets (Inactive) [ 07/Dec/20 ] | ||||||||||||||
|
Hi aneesh.reghu@gmail.com, |