[SERVER-63808] MongoDB and SELinux issues on CentOS 7 Created: 17/Feb/22  Updated: 22/Jun/22  Resolved: 14/Mar/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Chris Bator Assignee: Chris Kelly
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB 5.0 and CentOS 7


Attachments: PNG File image-2022-02-17-10-17-07-864.png     PNG File image-2022-02-17-10-17-30-340.png     PNG File image-2022-02-17-10-18-15-561.png     PNG File image-2022-02-23-12-49-56-960.png    
Issue Links:
Duplicate
duplicates SERVER-63179 Server requires new SELinux privileges Closed
Participants:

 Description   

Problem Statement/Rationale

I'm running MongoDB 5.0 on a Centos 7 virtual machine. SELinux is enabled and currently set to enforcing. SELinux is preventing Mongo from accessing multiple files and directories. As a result, /var/log/ is filling quite fast with messages. Attached, you can see my custom .te policy I put in place and compiled. This took care of most of the issues, so the fill up has been brought to a crawl, thankfully. But, as per the other screenshot, you can see that SELinux is still preventing Mongo on a couple of things, specifically /proc/<pid>/net/snmp and /proc/<pid>/net/netstat.

Steps to Reproduce

Establish a server with the same OS and version of Mongo with SELinux enabled. You should be able to see the same errors being produced in /var/log/messages

Expected Results

I would like to not have SELinux be blocking these things for Mongo any longer. I don't want /var/log/messages filling up with these types of alerts any longer.

Actual Results

/var/log/messages is filling up with SELinux alerts that are telling me that SELinux is preventing ftdc from open access on the specified files above.

Additional Notes

I'm thinking that if we added the getattr and open properties to the proc_net_t line in my .te policy file (screenshot attached), this would resolve it. But, we do not want Mongo to be able to those things, it is too permissive.



 Comments   
Comment by Chris Kelly [ 14/Mar/22 ]

Hi Chris,

It appears we are tracking an issue related to SELinux privileges attributed to ftdc in SERVER-63179. I am going to close this ticket, but you can keep an eye on that one for further information.

Regards,
Christopher

 

Comment by Chris Bator [ 02/Mar/22 ]

Hi Dmitry,

I had tried that originally, but was still getting a massive amount of messages about SELinux blocking Mongo from accessing certain things. I then created my own custom .te policy and compiled that. We are still left with some things that SELinux is blocking.

Thanks,

Chris

Comment by Dmitry Agranat [ 28/Feb/22 ]

Hi cbator@powertrain.com, does this documentation link from our Production Notes help to address the reported issue?

Comment by Chris Bator [ 23/Feb/22 ]

Please note, this is also taking place on RHEL8 as well, screenshot below:

 

Generated at Thu Feb 08 05:58:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.