[SERVER-63179] Server requires new SELinux privileges Created: 01/Feb/22 Updated: 16/May/22 Resolved: 11/Apr/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 4.2.18 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Kevyn Weiner | Assignee: | Sergey Galtsev (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||||||||||
| Steps To Reproduce: |
|
||||||||||||||||||||||||||||||||||||
| Sprint: | Security 2022-02-21, Security 2022-03-07, Security 2022-04-18 | ||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||
| Description |
|
During our project's upgrade from mongodb-org-server-4.2.17-1.el7.x86_64 to mongodb-org-server-4.2.18-1.el7.x86_64, we observed a flood of selinux messages related to FTDC. It appears that FTDC is scanning all mounted volumes, cgroups, etc, and the selinux policy recommended in the MongoDB documentation does not grant enough privileges to facilitate that process.
Here is one avc deny from a CentOS7 box:
I was able to work around this issue by granting additional privileges:
I suspect that
|
| Comments |
| Comment by Sergey Galtsev (Inactive) [ 11/Apr/22 ] | ||||||||||||||||||||||||||
|
I opened DOCS-15224 to address the issue. The code I tested, and which works is as follows:
| ||||||||||||||||||||||||||
| Comment by Sergey Galtsev (Inactive) [ 04/Apr/22 ] | ||||||||||||||||||||||||||
|
Remaining to-do for this ticket is to verify steps on centos7 image | ||||||||||||||||||||||||||
| Comment by Sergey Galtsev (Inactive) [ 09/Feb/22 ] | ||||||||||||||||||||||||||
|
Following are considerations: 1. There is a mongodb-selinux project, which is tested through evergreen on a regular basis, but it begins with 5.0. Technically, there is no reason it should not work on 4.2, but since we are not running tests on it in 4.2 there is no guarantee it works and no assurance that it will not inadvertently break 2. I don't like idea of conditionally disabling parts of FTDC. Technically, it is not a hard problem, and nothing prevents that from happening, except that we are committing to bleed engineer-hours on an obscure feature not many people are aware of. I suggest we take a stance of offering mongodb-selinux as a long-term solution, and just document an update for selinux in docs. It is sub-optimal but cheap option, and it would incentivize customers to upgrade |