[SERVER-8881] SELinux is grumpy with directory labels for mongodb Created: 06/Mar/13  Updated: 13/Apr/15  Resolved: 16/Oct/13

Status: Closed
Project: Core Server
Component/s: Packaging, Security
Affects Version/s: 2.2.3
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: whocares Assignee: Ernie Hershey
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

fedora 18, but really anything running SELinux


Issue Links:
Duplicate
is duplicated by SERVER-9201 selinux problems in RPM packaging Closed
Related
related to SERVER-9201 selinux problems in RPM packaging Closed
Backwards Compatibility: Fully Compatible
Operating System: Linux
Steps To Reproduce:

use 10Gen rpms with any SELinux enabled machine.

the grumpy message from SELinux is:

SELinux is preventing /usr/bin/mongod from write access on the
directory /var/lib/mongo.

          • Plugin catchall_labels (83.8 confidence) suggests ********************

If you want to allow mongod to have write access on the mongo directory
Then you need to change the label on /var/lib/mongo
Do

  1. semanage fcontext -a -t FILE_TYPE '/var/lib/mongo'
    where FILE_TYPE is one of the following: var_log_t, mongod_var_lib_t,
    mongod_var_run_t, var_run_t, mongod_tmp_t, mongod_log_t, tmp_t.
    Then execute:
    restorecon -v '/var/lib/mongo'
          • Plugin catchall (17.1 confidence) suggests ***************************

If you believe that mongod should be allowed write access on the mongo
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

  1. grep mongod /var/log/audit/audit.log | audit2allow -M mypol
  2. semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:mongod_t:s0
Target Context system_u:object_r:var_lib_t:s0
Target Objects /var/lib/mongo [ dir ]
Source mongod
Source Path /usr/bin/mongod
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mongo-10gen-server-2.2.3-mongodb_1.x86_64
Target RPM Packages mongo-10gen-server-2.2.3-mongodb_1.x86_64
Policy RPM selinux-policy-3.11.1-82.fc18.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.8.1-201.fc18.x86_64
#1 SMP Thu Feb 28 19:23:08 UTC 2013 x86_64 x86_64
Alert Count 7
First Seen 2013-02-26 11:39:20 MST
Last Seen 2013-03-06 16:13:18 MST
Local ID 66879c9d-d862-448c-97e7-5008c61179bf

Raw Audit Messages
type=AVC msg=audit(1362611598.563:257): avc: denied

{ write }

for
pid=1191 comm="mongod" name="mongo" dev="dm-1" ino=37362
scontext=system_u:system_r:mongod_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1362611598.563:257): arch=x86_64 syscall=open
success=no exit=EACCES a0=7f21a5f6a898 a1=42 a2=1ff a3=39fb901070
items=0 ppid=1190 pid=1191 auid=4294967295 uid=989 gid=988 euid=989
suid=989 fsuid=989 egid=988 sgid=988 fsgid=988 ses=4294967295
tty=(none) comm=mongod exe=/usr/bin/mongod
subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: mongod,mongod_t,var_lib_t,dir,write

audit2allow

#============= mongod_t ==============
#!!!! The source type 'mongod_t' can write to a 'dir' of the following types:

  1. mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t,
    mongod_tmp_t, mongod_log_t, tmp_t

allow mongod_t var_lib_t:dir write;

audit2allow -R

#============= mongod_t ==============
#!!!! The source type 'mongod_t' can write to a 'dir' of the following types:

  1. mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t,
    mongod_tmp_t, mongod_log_t, tmp_t

allow mongod_t var_lib_t:dir write;

Participants:

 Description   

Mongo doesn't properly label directories it would appear.



 Comments   
Comment by Ernie Hershey [ 16/Oct/13 ]

Verified in CentOS 6 and Fedora 18

Comment by Mark Adams [ 17/Jul/13 ]

According to the Bugzilla bug from Redhat, this is being fixed as part of git commit 936911269cb82447d62c3934ebb08265a9b8dc70

The current Fedora-built packages from MongoDB use /var/lib/mongodb instead of /var/lib/mongo and that's what the selinux policy labels.
The referenced commit modifies the selinux policy to label /var/lib/mongo.* which will include both paths.

Comment by Serge Matveenko [ 02/Jul/13 ]

I think it's time for you to talk to each other
https://bugzilla.redhat.com/show_bug.cgi?id=972340

Comment by Johan Hedin [ 05/May/13 ]

This is actually an issue with the SELinux policy in Fedora 18 itself, not the 10gen RPM:s.

In the SELinux policy in Fedora 17, /var/lib/mongo is labeled mongod_var_lib_t and the 10gen RPM:s should work as expected. In Fedora 18 (and RHEL/CentOS/SL 6 as well), the policy is lacking this label rule.

You could file a bug for the SELinux policy for Fedora 18 here: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=18&component=selinux-policy explaining the issue and relate to the fact that the policy in Fedora 17 allows this.

Generated at Thu Feb 08 03:18:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.