[SERVER-63209] SELinux denials following update from 5.0.5 to 5.0.6 Created: 02/Feb/22  Updated: 10/Jun/22  Resolved: 11/Feb/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 5.0.6
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: INVADE International Ltd Assignee: Edwin Zhou
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-63179 Server requires new SELinux privileges Closed
Operating System: ALL
Steps To Reproduce:
  1. Install 5.0.5 on EL8 (in our case, Rocky Linux 8) as per:
    https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/
  2. Upgrade the mongodb-org packages to 5.0.6.
  3. Restart the mongod.service unit.
  4. Check the audit log for SELinux denials.
Participants:

 Description   

The following SELinux denial is logged every second:

time->Wed Feb  2 15:27:09 2022
type=PROCTITLE msg=audit(1643815629.001:19985): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66
type=PATH msg=audit(1643815629.001:19985): item=0 name="/proc/sys/fs/binfmt_misc" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1643815629.001:19985): cwd="/"
type=SYSCALL msg=audit(1643815629.001:19985): arch=c000003e syscall=137 success=no exit=-13 a0=55cd824fbb40 a1=7f24447c7dc0 a2=7f24447c7fa0 a3=0 items=1 ppid=1 pid=45608 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ftdc" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null)
type=AVC msg=audit(1643815629.001:19985): avc:  denied  { search } for  pid=45608 comm="ftdc" name="fs" dev="proc" ino=10475 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0

suggesting the following needs to be granted:

allow mongod_t sysctl_fs_t:dir search;

This is not listed in:

https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/#configure-selinux



 Comments   
Comment by INVADE International Ltd [ 21/Apr/22 ]

The denial I reported has not been included in the fix in the "duplicate" issue.

Can this issue please be re-opened.

Comment by Edwin Zhou [ 11/Feb/22 ]

Hi third.line@invade.net,

Thank you for your report. We currently have SERVER-63179 tracking work around SELinux privileges. I will close this as a duplicate of SERVER-63179.

Best,
Edwin

Generated at Thu Feb 08 05:57:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.