[SERVER-66475] SELinux denials on sysctl_net_t Created: 16/May/22  Updated: 10/Jun/22  Resolved: 16/May/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 5.0.8
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: INVADE International Ltd Assignee: Sergey Galtsev (Inactive)
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-63179 Server requires new SELinux privileges Closed
is related to DOCS-15224 Update "Configure SELinux" instructions In Progress
Operating System: ALL
Steps To Reproduce:

Install and configure MongoDB as documented.

Start the mongod service.

Sprint: Security 2022-05-30
Participants:

 Description   

Hi.

Even following the latest documentation updates in https://jira.mongodb.org/browse/DOCS-15224, I still don't see the SELinux rules that I added to https://jira.mongodb.org/browse/SERVER-53177 in my comment https://jira.mongodb.org/browse/SERVER-53177?focusedCommentId=3607295&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-3607295 in the latest documentation (https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-red-hat/).

 

We still get denials reported on:
allow mongod_t sysctl_net_t:dir search;
allow mongod_t sysctl_net_t:file { getattr read open };

every time the mongod service is started.

We are running MongoDB 5.0.8 on Rocky Linux 8.



 Comments   
Comment by Sergey Galtsev (Inactive) [ 17/May/22 ]

third.line@invade.net  if these denials are causing production issues for you, please open a HELP ticket.

Comment by INVADE International Ltd [ 17/May/22 ]
  1. The sysctl_net_t:file denials are only logged after you allow the sysctl_net_t:dir search.
  2. I assume the denial means MongoDB is not being allowed to do something it is trying to do. Why is it triggering the denials, and what are the implications of it being denied?
  1. Why are these denials being treated differently to all of those addressed in https://jira.mongodb.org/browse/SERVER-63179?
  1. Rocky Linux is a binary compatible distribution to RHEL. As you have stated, the same denials are reported in RHEL. Is RHEL also no longer supported?
  1. These violations are triggering are monitoring tooling. Based on your statement "I don't think this ticket warrants an action to be taken", I am assuming that we can simply ignore the denials, rather than allow them, and that this won't have any detrimental effect on the operation of MongoDB.
Comment by Sergey Galtsev (Inactive) [ 16/May/22 ]
  • I tested 5.0.8 enterprise on RHEL8, and I found that there is a violation which could be fixed by:

    allow mongod_t sysctl_net_t:dir search; 

    I have not found  sysctl_net_t:file violation.

With that said, service started successfully and that fix is not required to run mongod.

 

  • Rocky Linux 8 is an unsupported operating system, as such we typically do not patch for it, as it will require us to establish testing process.

 

Since 5.0 is the last version for which official selinux policy has not been rolled out, I don't think this ticket warrants an action to be taken

Comment by Edwin Zhou [ 16/May/22 ]

Hi third.line@invade.net,

Thank you for your report. I will pass this along to the Security team to investigate making additional access changes for SELinux.

Best,
Edwin

Generated at Thu Feb 08 06:05:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.