[SERVER-63179] Server requires new SELinux privileges Created: 01/Feb/22  Updated: 16/May/22  Resolved: 11/Apr/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.2.18
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Kevyn Weiner Assignee: Sergey Galtsev (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-15224 Update "Configure SELinux" instructions In Progress
Duplicate
is duplicated by SERVER-63209 SELinux denials following update from... Closed
is duplicated by SERVER-63808 MongoDB and SELinux issues on CentOS 7 Closed
is duplicated by SERVER-65913 SELinux denials following update from... Closed
Related
related to SERVER-66475 SELinux denials on sysctl_net_t Closed
related to DOCS-15224 Update "Configure SELinux" instructions In Progress
Operating System: ALL
Steps To Reproduce:
  1. Create a CentOS7 server with selinux set to enforcing
  2. Install MongoDB server 4.2.17, following the installation instructions to modify selinux policies
  3. Start MongoDB server
  4. Observe that there are no unusual selinux messages
  5. Upgrade MongoDB server to 4.2.18
  6. Observe that any item which shows up in /etc/mtab is triggering a selinux deny, attributed to ftdc.
Sprint: Security 2022-02-21, Security 2022-03-07, Security 2022-04-18
Participants:

 Description   

During our project's upgrade from mongodb-org-server-4.2.17-1.el7.x86_64 to mongodb-org-server-4.2.18-1.el7.x86_64, we observed a flood of selinux messages related to FTDC.  It appears that FTDC is scanning all mounted volumes, cgroups, etc, and the selinux policy recommended in the MongoDB documentation does not grant enough privileges to facilitate that process.

 

Here is one avc deny from a CentOS7 box:

node=<hostname> type=AVC msg=audit(1643730988.007:62064): avc:  denied  { getattr } for  pid=1309 comm="ftdc" path="/mnt/software" dev="0:42" ino=3267542206855034467 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0
 
node=<hostname> type=SYSCALL msg=audit(1643730988.007:62064): arch=c000003e syscall=4 success=no exit=-13 a0=7fe2dd99f1b0 a1=7fe2dd99eee0 a2=7fe2dd99eee0 a3=0 items=1 ppid=1 pid=1309 auid=4294967295 uid=995 gid=991 euid=995 suid=995 fsuid=995 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="ftdc" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null)
 
node=<hostname> type=CWD msg=audit(1643730988.007:62064):  cwd="/"
 
node=<hostname> type=PATH msg=audit(1643730988.007:62064): item=0 name="/mnt/software" inode=3267542206855034467 dev=00:2a mode=040777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:nfs_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
 
node=<hostname> type=PROCTITLE msg=audit(1643730988.007:62064): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66

 

I was able to work around this issue by granting additional privileges:

 gen_require(`
        type proc_net_t;
+       type configfs_t;
+       type file_type;
-        class dir search;
+        class dir { search getattr };
        class file { getattr open read write};
 ')
# Permits mongod_t to access /proc/net/snmp
 allow mongod_t proc_net_t:file { open read };
 
 # Permits mongod_t to access /sys/fs/cgroup/memory/memory.limit_in_bytes
-allow mongod_t cgroup_t:dir search;
+allow mongod_t cgroup_t:dir { search getattr } ;
 allow mongod_t cgroup_t:file { getattr open read };
 
+# Permits mongod_t to get mounted directory information, for disk utilization monitoring
+allow mongod_t file_type:file getattr;
+allow mongod_t file_type:dir { getattr search };
+allow mongod_t configfs_t:dir getattr;
 

 

I suspect that SERVER-28953 created this situation, and am unsure if the proper way to rectify it is to modify the MongoDB documentation to allow for the additional privileges, or to change the new capabilities of FTDC.

 



 Comments   
Comment by Sergey Galtsev (Inactive) [ 11/Apr/22 ]

I opened DOCS-15224 to address the issue.

The code I tested, and which works is as follows:

cat > mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;
 
require {
    type cgroup_t;
    type configfs_t;
    type file_type;
    type mongod_t;
    type proc_net_t;
    type sysctl_fs_t;
    type var_lib_nfs_t;
 
    class dir { search getattr };
    class file { getattr open read };
}
 
#============= mongod_t ==============
allow mongod_t cgroup_t:dir { search getattr } ;
allow mongod_t cgroup_t:file { getattr open read };
allow mongod_t configfs_t:dir getattr;
allow mongod_t file_type:dir { getattr search };
allow mongod_t file_type:file getattr;
allow mongod_t proc_net_t:file { open read };
allow mongod_t sysctl_fs_t:dir search;
allow mongod_t var_lib_nfs_t:dir search;
EOF

Comment by Sergey Galtsev (Inactive) [ 04/Apr/22 ]

Remaining to-do for this ticket is to verify steps on centos7 image

Comment by Sergey Galtsev (Inactive) [ 09/Feb/22 ]

Following are considerations:

1. There is a mongodb-selinux project, which is tested through evergreen on a regular basis, but it begins with 5.0. Technically, there is no reason it should not work on 4.2, but since we are not running tests on it in 4.2 there is no guarantee it works and no assurance that it will not inadvertently break

2. I don't like idea of conditionally disabling parts of FTDC. Technically, it is not a hard problem, and nothing prevents that from happening, except that we are committing to bleed engineer-hours on an obscure feature not many people are aware of.

I suggest we take a stance of offering mongodb-selinux as a long-term solution, and just document an update for selinux in docs. It is sub-optimal but cheap option, and it would incentivize customers to upgrade

Generated at Thu Feb 08 05:57:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.