[SERVER-53177] SELinux is preventing /usr/bin/mongod from search access on the directory net. Created: 02/Dec/20  Updated: 10/Mar/23  Resolved: 20/Jan/21

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Aneesh Reghu Assignee: Jonathan Streets (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

SELinux is preventing /usr/bin/mongod from search access on the directory net.

 I have followed the installation steps 

https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/

[root@xxxxxxxxx]# semodule -l | grep mongo
mongodb 1.1.0
mongodb_cgroup_memory 1.0
mongodb_proc_net 1.0

OS:- Centos 7.9

 

I saw one guy opened a same bug in RedHat also

https://bugzilla.redhat.com/show_bug.cgi?id=1884810

 

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/mongod from search access on the directory net.

          • Plugin catchall (100. confidence) suggests **************************

If you believe that mongod should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

  1. ausearch -c 'mongod' --raw | audit2allow -M my-mongod
  2. semodule -i my-mongod.pp

Additional Information:
Source Context system_u:system_r:mongod_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects net [ dir ]
Source mongod
Source Path /usr/bin/mongod
Port <Unknown>
Host <Unknown>
Source RPM Packages mongodb-org-server-4.4.1-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name XXXXXXXXX
Platform Linux XXXXXXX 3.10.0-1160.6.1.el7.x86_64 #1
SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-12-01 14:23:59 UTC
Last Seen 2020-12-01 14:23:59 UTC
Local ID 3f4e312c-a021-4bd7-9a3e-205b6367ec9c

Raw Audit Messages
type=AVC msg=audit(1606832639.771:108): avc: denied { search } for pid=1674 comm="mongod" name="net" dev="proc" ino=244 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

type=SYSCALL msg=audit(1606832639.771:108): arch=x86_64 syscall=stat success=no exit=EACCES a0=55f2684e18e0 a1=7ffca39f3c70 a2=7ffca39f3c70 a3=79732f636f72702f items=0 ppid=1670 pid=1674 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: mongod,mongod_t,sysctl_net_t,dir,search

 



 Comments   
Comment by Jonathan Streets (Inactive) [ 09/Feb/21 ]

Thank-you for the extra information. I've passed it along to the Documentation Team.

Comment by INVADE International Ltd [ 09/Feb/21 ]

Hi. I see this issue is closed but I've just hit the same problem with MongoDB 4.4 on CentOS 8.

After adding the rule for:

allow mongod_t sysctl_net_t:dir search;

I also got a number of other denials logged. To stop all the denials being logged, I ended up with the following:

 
module mongodb_sysctl_net 1.0;
 
require {
        type mongod_t;
        type sysctl_net_t;
        class dir search;
        class file { getattr read open };
}
 
#============= mongod_t ==============
allow mongod_t sysctl_net_t:dir search;
allow mongod_t sysctl_net_t:file { getattr read open };

I'm not sure if these rules should be included in the selinux-policy packaged detailed in:
https://bugzilla.redhat.com/show_bug.cgi?id=1884810

or if they should be added to the MongoDB documentation:
https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/

I would imagine it's the latter.

I can't see the previous info in the documentation yet so, if the additional rules I've detailed are also required, could they also be included in the documentation. Thanks.

 

Comment by Aneesh Reghu [ 13/Jan/21 ]

Hi Jonathan Streets,

I have run that commands. now it's working fine.

Comment by Jonathan Streets (Inactive) [ 14/Dec/20 ]

Hi aneesh.reghu@gmail.com, I looked at the redhat bugzilla report and found the reproducer using setroubleshoot. I found that running the commands in your description adds the search exception to mongod for SElinux:

ausearch -c 'mongod' --raw | audit2allow -M my-mongod
semodule -i my-mongod.pp

I have opened an internal DOCS ticket to get the instructions updated. Does this fix the issue for you as well?
jon

Comment by Aneesh Reghu [ 14/Dec/20 ]

Hi Jonathan,

Thanks for the reply.

I'm using the default mongo directory.  id didn't the default data directory.

 

ls -lZ /var/lib/mongo/
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-0-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-0-275752799907371565.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-2-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-4-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-7-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-8-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-9-1102071215071264138.wt
drwx------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 diagnostic.data
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-10-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-1-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-11-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-12-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-1-275752799907371565.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-13-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-16-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-2-275752799907371565.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-3-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-5-1102071215071264138.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-6-1102071215071264138.wt
drwx------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 journal
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 _mdb_catalog.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 mongod.lock
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 sizeStorer.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 storage.bson
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTigerHS.wt
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger.lock
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger.turtle
rw------. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger.wt

Comment by Jonathan Streets (Inactive) [ 07/Dec/20 ]

Hi aneesh.reghu@gmail.com,
Thank-you for reporting this issue. I was able to install and run mongodb 4.4.2 and attach to it with mongo on a fresh Centos 7 VM. I followed the instructions, but found I also needed to install semodule_package with yum install policycoreutils-python, and create the /data/db directory, owned by the mongod account.
Do these extra commands work for you? If so I will get the documentation updated, if this still doesn't work for you please can you share a reproducer?
thanks
jon

Generated at Thu Feb 08 05:30:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.