[SERVER-8881] SELinux is grumpy with directory labels for mongodb Created: 06/Mar/13 Updated: 13/Apr/15 Resolved: 16/Oct/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Packaging, Security |
| Affects Version/s: | 2.2.3 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | whocares | Assignee: | Ernie Hershey |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
fedora 18, but really anything running SELinux |
||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | Linux | ||||||||||||||||
| Steps To Reproduce: | use 10Gen rpms with any SELinux enabled machine. the grumpy message from SELinux is: SELinux is preventing /usr/bin/mongod from write access on the
If you want to allow mongod to have write access on the mongo directory
If you believe that mongod should be allowed write access on the mongo
Additional Information: Raw Audit Messages for type=SYSCALL msg=audit(1362611598.563:257): arch=x86_64 syscall=open Hash: mongod,mongod_t,var_lib_t,dir,write audit2allow #============= mongod_t ==============
allow mongod_t var_lib_t:dir write; audit2allow -R #============= mongod_t ==============
allow mongod_t var_lib_t:dir write; |
||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Mongo doesn't properly label directories it would appear. |
| Comments |
| Comment by Ernie Hershey [ 16/Oct/13 ] |
|
Verified in CentOS 6 and Fedora 18 |
| Comment by Mark Adams [ 17/Jul/13 ] |
|
According to the Bugzilla bug from Redhat, this is being fixed as part of git commit 936911269cb82447d62c3934ebb08265a9b8dc70 The current Fedora-built packages from MongoDB use /var/lib/mongodb instead of /var/lib/mongo and that's what the selinux policy labels. |
| Comment by Serge Matveenko [ 02/Jul/13 ] |
|
I think it's time for you to talk to each other |
| Comment by Johan Hedin [ 05/May/13 ] |
|
This is actually an issue with the SELinux policy in Fedora 18 itself, not the 10gen RPM:s. In the SELinux policy in Fedora 17, /var/lib/mongo is labeled mongod_var_lib_t and the 10gen RPM:s should work as expected. In Fedora 18 (and RHEL/CentOS/SL 6 as well), the policy is lacking this label rule. You could file a bug for the SELinux policy for Fedora 18 here: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=18&component=selinux-policy explaining the issue and relate to the fact that the policy in Fedora 17 allows this. |