[SERVER-82215] MongoDB 6.0 + RHEL9 SELinux Created: 16/Oct/23  Updated: 05/Dec/23

Status: Needs Verification
Project: Core Server
Component/s: None
Affects Version/s: 6.0.11
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Kyllian Chartrain Assignee: Noopur Gupta
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Mongo 6.0.11
Rocky Linux 9


Attachments: PNG File first-reload.png     PNG File second-reload.png    
Issue Links:
Related
is related to SERVER-68892 MongoDB 6.0 + mongodb-selinux Closed
Operating System: ALL
Participants:

 Description   

Hi.

We are installing mongodb on a rocky linux 9.

We know that the mongodb-selinux github state that the RHEL9 are not supported.

Do you know if the RHEL9 SELinux will be supported and when ? 

We got on denial on the /var/log/audit/audit.log:

 

type=AVC msg=audit(1697463671.995:1842): avc:  denied  { search } for  pid=802 comm="ftdc" name="fs" dev="proc" ino=13458 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1697463671.995:1842): arch=c00000b7 syscall=43 success=no exit=-13 a0=aaaaf9a42680 a1=ffff9435c8a0 a2=ffff9dc7bb18 a3=0 items=0 ppid=1 pid=802 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ftdc" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null)ARCH=aarch64 SYSCALL=statfs AUID="unset" UID="mongod" GID="mongod" EUID="mongod" SUID="mongod" FSUID="mongod" EGID="mongod" SGID="mongod" FSGID="mongod"
type=PROCTITLE msg=audit(1697463671.995:1842): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66 

The audit2allow utils command seems to indicate that mongod_t need the following: 

 

 

#============= mongod_t ==============
allow mongod_t sysctl_fs_t:dir search;
allow mongod_t sysctl_net_t:dir search; 

Similar problem as been found here and fixed but for RHEL 8.

Thanks in advance.

 

 

 

 



 Comments   
Comment by Kyllian Chartrain [ 27/Oct/23 ]

Hi noopur,

I don't have any mongod log since the restart call is blocked by SELinux.

Without the policy the mongod reload work as intended.

systemctl restart mongod

As shown in the screenshot named first-reload the default mongopolicy is installed and the restart work as intended.

Once the mongo policy is installed manually the reload failed due to an access denied error as shown in the sceenshot named second-reload. 

 

best regards,

Kyllian chartrain.

Comment by Noopur Gupta [ 25/Oct/23 ]

Hi Kyllian,

Can you share mongod logs for this restart failure?

Also, can you share the commands you used to run the mongod first(i.e before restart)? 

 

Comment by Kyllian Chartrain [ 25/Oct/23 ]

Hi Noopur,

It seems that the SEPolicy is good if the mongodb service is up and running but fails to restart with:

systemcl restart mongod

The audit2allow command indicate:

#============= mongod_t ==============
allow mongod_t unlabeled_t:sock_file unlink; 

best regards,

Kyllian.

 

Comment by Kyllian Chartrain [ 24/Oct/23 ]

Hi Noopur,

Installing the SELinux policy directly from the github worked.

But the SELinux policy installed by default using mongod alone have the issue. does it mean that the default policy should be replaced by the one present on the github ? 

 

best regards,

Kyllian.

Comment by Noopur Gupta [ 17/Oct/23 ]

Hi Kyllian,

According to https://www.mongodb.com/docs/manual/tutorial/install-mongodb-enterprise-on-red-hat/#configure-selinux SELinux is supported in all versions RHEL7 or later. 
Please follow the instructions mentioned in the link for configuring SELinux.

Let us know if you have further questions.

Generated at Thu Feb 08 06:48:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.