[SERVER-68892] MongoDB 6.0 + mongodb-selinux Created: 17/Aug/22  Updated: 16/Oct/23  Resolved: 30/Aug/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: INVADE International Ltd Assignee: Sergey Galtsev (Inactive)
Resolution: Done Votes: 0
Labels: selinux
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-82215 MongoDB 6.0 + RHEL9 SELinux Needs Verification
Operating System: ALL
Steps To Reproduce:

Upgrade MongoDB 5.0 to 6.0 as per the documentation.

Sprint: Security 2022-08-22, Security 2022-09-05
Participants:

 Description   

Hi.

This relates to https://www.mongodb.com/community/forums/t/mongodb-6-0-and-selinux/180756.

 

We are testing an upgrade of MongoDB 5.0 to MongoDB 6.0 on Rocky Linux 8, using the revised SELinux instructions:

https://www.mongodb.com/docs/v6.0/tutorial/install-mongodb-on-red-hat/#configure-selinux
 
Having removed the old policies and installed the new policies from mongodb-selinux, we are getting one denial:

type=PROCTITLE msg=audit(1660560763.000:4626): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66
type=PATH msg=audit(1660560763.000:4626): item=0 name="/proc/sys/fs/binfmt_misc" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1660560763.000:4626): cwd="/"
type=SYSCALL msg=audit(1660560763.000:4626): arch=c000003e syscall=137 success=no exit=-13 a0=55c721f04d00 a1=7f0f3c107000 a2=7f0f3c1071c0 a3=0 items=1 ppid=1 pid=3065 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ftdc" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null)
type=AVC msg=audit(1660560763.000:4626): avc:  denied  { search } for  pid=3065 comm="ftdc" name="fs" dev="proc" ino=315 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0 

I can't see anything in mongodb-selinux that grants:

allow mongod_t sysctl_fs_t:dir search; 

like the old "mongodb_proc_net" policy used to.

 

Should this be included (i.e. it's a bug in the policy), or do we need to manually add a policy ourselves?

 

Thanks.



 Comments   
Comment by Sergey Galtsev (Inactive) [ 30/Aug/22 ]

The policy was updated. Thanks third.line@invade.net for testing the change

Comment by INVADE International Ltd [ 30/Aug/22 ]

Hi Sergey. We have tested the fix and can confirm that there have been no SELinux denials since. Many thanks.

Comment by INVADE International Ltd [ 30/Aug/22 ]

Hi Sergey. I will get back to you with the results of our testing. Might be a couple of days. Thanks.

Comment by Sergey Galtsev (Inactive) [ 26/Aug/22 ]

Hi third.line@invade.net! Thanks for reporting the bug. Do you mind testing the fix? Please find the corrected policy in https://github.com/mongodb/mongodb-selinux/tree/sergev.galtsev/SERVER-68892

Generated at Thu Feb 08 06:12:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.