[SERVER-69819] SELinux denial following log rotation Created: 20/Sep/22 Updated: 16/Nov/23 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | INVADE International Ltd | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Server Security
|
||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: | kill -USR1 {PID} |
||||||||
| Sprint: | Security 2022-10-17, Security 2022-10-31, Security 2022-11-14, Security 2022-11-28, Security 2022-12-12, Security 2022-12-26, Security 2023-01-09, Security 2023-01-23, Security 2023-02-06, Security 2023-04-03, Security 2023-06-12, Security 2023-06-26, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04, Security 2023-09-18, Security 2023-10-02, Security 2023-10-16, Security 2023-10-30, Security 2023-11-13 | ||||||||
| Participants: | |||||||||
| Description |
|
Hi. MongoDB 6.0 running on Rocky Linux 8. We have noticed that the MongoDB server process is denied "write" access to the log file after it is rotated, as per this documentation: https://www.mongodb.com/docs/manual/tutorial/rotate-log-files/#forcing-a-log-rotation-with-sigusr1 Restarting the mongod.service systemd unit does not produce the same denial. It looks like the mongod process is requesting "write" access after the "kill", instead of "append", and being denied access because it has not been granted this permission. MongoDB 5.0 running on Rocky Linux 8 is OK. Additional information:
{{}} |
| Comments |
| Comment by Adam Rayner [ 03/Aug/23 ] | |||||||||||
|
Hi third.line@invade.net, we assess and prioritize SELinux support improvements on an ongoing basis, along with all other server improvements. Cheers! | |||||||||||
| Comment by INVADE International Ltd [ 02/Aug/23 ] | |||||||||||
|
Hi. As this issue has now been open for nearly a year, can I ask how often you assess the iterations of your SELinux support? Thanks. | |||||||||||
| Comment by Adam Rayner [ 01/Aug/23 ] | |||||||||||
|
Hi third.line@invade.net, thanks again for bringing this to our attention. As there appears to be a workaround, I am moving this to our backlog and we will assess a permanent fix in the next iteration of our SELinux support. | |||||||||||
| Comment by INVADE International Ltd [ 04/Oct/22 ] | |||||||||||
|
Hi. I'm not sure that issue is related as it is referring the the file permissions of the log files. We want to keep the default file permissions. This is a SELinux "write" denial. The options as I see it are:
Based on: I believe this would mean adding either: | |||||||||||
| Comment by Yuan Fang [ 03/Oct/22 ] | |||||||||||
|
Thank you for reporting this issue. While I don't have a certain answer for this right now, from the description you provided, it seems similar to Can you check and compare the file permissions of the closed log file and the new log file, and see if you agree this issue is the same as Regards, | |||||||||||
| Comment by INVADE International Ltd [ 03/Oct/22 ] | |||||||||||
|
Just for info. We have temporarily added the following policy to resolve the problem:
|