<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:18:43 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-8881] SELinux is grumpy with directory labels for mongodb</title>
                <link>https://jira.mongodb.org/browse/SERVER-8881</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Mongo doesn&apos;t properly label directories it would appear. &lt;/p&gt;
</description>
                <environment>fedora 18, but really anything running SELinux</environment>
        <key id="67564">SERVER-8881</key>
            <summary>SELinux is grumpy with directory labels for mongodb</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="2" iconUrl="https://jira.mongodb.org/images/icons/priorities/critical.svg">Critical - P2</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="ernie.hershey@mongodb.com">Ernie Hershey</assignee>
                                    <reporter username="dvlhntr">whocares</reporter>
                        <labels>
                    </labels>
                <created>Wed, 6 Mar 2013 23:32:20 +0000</created>
                <updated>Mon, 13 Apr 2015 20:16:35 +0000</updated>
                            <resolved>Wed, 16 Oct 2013 16:22:18 +0000</resolved>
                                    <version>2.2.3</version>
                                                    <component>Packaging</component>
                    <component>Security</component>
                                        <votes>1</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="441636" author="ernie.hershey@10gen.com" created="Wed, 16 Oct 2013 16:22:18 +0000"  >&lt;p&gt;Verified in CentOS 6 and Fedora 18&lt;/p&gt;</comment>
                            <comment id="383019" author="markadams" created="Wed, 17 Jul 2013 11:17:44 +0000"  >&lt;p&gt;According to the Bugzilla bug from Redhat, this is being fixed as part of git commit &lt;a href=&quot;https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=936911269cb82447d62c3934ebb08265a9b8dc70&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;936911269cb82447d62c3934ebb08265a9b8dc70&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The current Fedora-built packages from MongoDB use /var/lib/mongodb instead of /var/lib/mongo and that&apos;s what the selinux policy labels.&lt;br/&gt;
The referenced commit modifies the selinux policy to label /var/lib/mongo.* which will include both paths.&lt;/p&gt;</comment>
                            <comment id="372895" author="lig" created="Tue, 2 Jul 2013 20:51:08 +0000"  >&lt;p&gt;I think it&apos;s time for you to talk to each other&lt;br/&gt;
&lt;a href=&quot;https://bugzilla.redhat.com/show_bug.cgi?id=972340&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://bugzilla.redhat.com/show_bug.cgi?id=972340&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="328799" author="jhn" created="Sun, 5 May 2013 14:36:08 +0000"  >&lt;p&gt;This is actually an issue with the SELinux policy in Fedora 18 itself, not the 10gen RPM:s.&lt;/p&gt;

&lt;p&gt;In the SELinux policy in Fedora 17, &lt;tt&gt;/var/lib/mongo&lt;/tt&gt; is labeled &lt;tt&gt;mongod_var_lib_t&lt;/tt&gt; and the 10gen RPM:s should work as expected. In Fedora 18 (and RHEL/CentOS/SL 6 as well), the policy is lacking this label rule.&lt;/p&gt;

&lt;p&gt;You could file a bug for the SELinux policy for Fedora 18 here: &lt;a href=&quot;https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&amp;amp;version=18&amp;amp;component=selinux-policy&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&amp;amp;version=18&amp;amp;component=selinux-policy&lt;/a&gt; explaining the issue and relate to the fact that the policy in Fedora 17 allows this.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="70377">SERVER-9201</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="70377">SERVER-9201</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Sun, 5 May 2013 14:36:08 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        10 years, 18 weeks ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ernie.hershey@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            10 years, 18 weeks ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10020"><![CDATA[Linux]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>ernie.hershey@mongodb.com</customfieldvalue>
            <customfieldvalue>jhn</customfieldvalue>
            <customfieldvalue>markadams</customfieldvalue>
            <customfieldvalue>lig</customfieldvalue>
            <customfieldvalue>dvlhntr</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrn2ov:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrg46f:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>7581</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;use 10Gen rpms with any SELinux enabled machine. &lt;/p&gt;


&lt;p&gt;the grumpy message from SELinux is:&lt;/p&gt;



&lt;p&gt;SELinux is preventing /usr/bin/mongod from write access on the&lt;br/&gt;
directory /var/lib/mongo.&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;
	&lt;ul&gt;
		&lt;li&gt;
		&lt;ul&gt;
			&lt;li&gt;
			&lt;ul&gt;
				&lt;li&gt;
				&lt;ul&gt;
					&lt;li&gt;Plugin catchall_labels (83.8 confidence) suggests  ********************&lt;/li&gt;
				&lt;/ul&gt;
				&lt;/li&gt;
			&lt;/ul&gt;
			&lt;/li&gt;
		&lt;/ul&gt;
		&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;










&lt;p&gt;If you want to allow mongod to have write access on the mongo directory&lt;br/&gt;
Then you need to change the label on /var/lib/mongo&lt;br/&gt;
Do&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;semanage fcontext -a -t FILE_TYPE &apos;/var/lib/mongo&apos;&lt;br/&gt;
where FILE_TYPE is one of the following: var_log_t, mongod_var_lib_t,&lt;br/&gt;
mongod_var_run_t, var_run_t, mongod_tmp_t, mongod_log_t, tmp_t.&lt;br/&gt;
Then execute:&lt;br/&gt;
restorecon -v &apos;/var/lib/mongo&apos;&lt;/li&gt;
&lt;/ol&gt;



&lt;ul&gt;
	&lt;li&gt;
	&lt;ul&gt;
		&lt;li&gt;
		&lt;ul&gt;
			&lt;li&gt;
			&lt;ul&gt;
				&lt;li&gt;
				&lt;ul&gt;
					&lt;li&gt;Plugin catchall (17.1 confidence) suggests  ***************************&lt;/li&gt;
				&lt;/ul&gt;
				&lt;/li&gt;
			&lt;/ul&gt;
			&lt;/li&gt;
		&lt;/ul&gt;
		&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;If you believe that mongod should be allowed write access on the mongo&lt;br/&gt;
directory by default.&lt;br/&gt;
Then you should report this as a bug.&lt;br/&gt;
You can generate a local policy module to allow this access.&lt;br/&gt;
Do&lt;br/&gt;
allow this access for now by executing:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;grep mongod /var/log/audit/audit.log | audit2allow -M mypol&lt;/li&gt;
	&lt;li&gt;semodule -i mypol.pp&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;Additional Information:&lt;br/&gt;
Source Context                system_u:system_r:mongod_t:s0&lt;br/&gt;
Target Context                system_u:object_r:var_lib_t:s0&lt;br/&gt;
Target Objects                /var/lib/mongo [ dir ]&lt;br/&gt;
Source                        mongod&lt;br/&gt;
Source Path                   /usr/bin/mongod&lt;br/&gt;
Port                          &amp;lt;Unknown&amp;gt;&lt;br/&gt;
Host                          localhost.localdomain&lt;br/&gt;
Source RPM Packages           mongo-10gen-server-2.2.3-mongodb_1.x86_64&lt;br/&gt;
Target RPM Packages           mongo-10gen-server-2.2.3-mongodb_1.x86_64&lt;br/&gt;
Policy RPM                    selinux-policy-3.11.1-82.fc18.noarch&lt;br/&gt;
Selinux Enabled               True&lt;br/&gt;
Policy Type                   targeted&lt;br/&gt;
Enforcing Mode                Enforcing&lt;br/&gt;
Host Name                     localhost.localdomain&lt;br/&gt;
Platform                      Linux localhost.localdomain 3.8.1-201.fc18.x86_64&lt;br/&gt;
                             #1 SMP Thu Feb 28 19:23:08 UTC 2013 x86_64 x86_64&lt;br/&gt;
Alert Count                   7&lt;br/&gt;
First Seen                    2013-02-26 11:39:20 MST&lt;br/&gt;
Last Seen                     2013-03-06 16:13:18 MST&lt;br/&gt;
Local ID                      66879c9d-d862-448c-97e7-5008c61179bf&lt;/p&gt;

&lt;p&gt;Raw Audit Messages&lt;br/&gt;
type=AVC msg=audit(1362611598.563:257): avc:  denied  &lt;/p&gt;
{ write }
&lt;p&gt; for&lt;br/&gt;
pid=1191 comm=&quot;mongod&quot; name=&quot;mongo&quot; dev=&quot;dm-1&quot; ino=37362&lt;br/&gt;
scontext=system_u:system_r:mongod_t:s0&lt;br/&gt;
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir&lt;/p&gt;


&lt;p&gt;type=SYSCALL msg=audit(1362611598.563:257): arch=x86_64 syscall=open&lt;br/&gt;
success=no exit=EACCES a0=7f21a5f6a898 a1=42 a2=1ff a3=39fb901070&lt;br/&gt;
items=0 ppid=1190 pid=1191 auid=4294967295 uid=989 gid=988 euid=989&lt;br/&gt;
suid=989 fsuid=989 egid=988 sgid=988 fsgid=988 ses=4294967295&lt;br/&gt;
tty=(none) comm=mongod exe=/usr/bin/mongod&lt;br/&gt;
subj=system_u:system_r:mongod_t:s0 key=(null)&lt;/p&gt;

&lt;p&gt;Hash: mongod,mongod_t,var_lib_t,dir,write&lt;/p&gt;

&lt;p&gt;audit2allow&lt;/p&gt;

&lt;p&gt;#============= mongod_t ==============&lt;br/&gt;
#!!!! The source type &apos;mongod_t&apos; can write to a &apos;dir&apos; of the following types:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t,&lt;br/&gt;
mongod_tmp_t, mongod_log_t, tmp_t&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;allow mongod_t var_lib_t:dir write;&lt;/p&gt;

&lt;p&gt;audit2allow -R&lt;/p&gt;

&lt;p&gt;#============= mongod_t ==============&lt;br/&gt;
#!!!! The source type &apos;mongod_t&apos; can write to a &apos;dir&apos; of the following types:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;mongod_var_lib_t, var_log_t, mongod_var_run_t, var_run_t,&lt;br/&gt;
mongod_tmp_t, mongod_log_t, tmp_t&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;allow mongod_t var_lib_t:dir write;&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsu5rr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>