SELinux issue with MongoDB on Fedora 27
-
Here is what is there
[root@wiki ~]# ls -laZ /var/lib/mongo total 16388 drwxr-xr-x. 3 mongod mongod system_u:object_r:mongod_var_lib_t:s0 56 Jan 22 15:30 . drwxr-xr-x. 23 root root system_u:object_r:var_lib_t:s0 4096 Jan 22 15:28 .. drwxr-xr-x. 2 mongod mongod system_u:object_r:mongod_var_lib_t:s0 6 Jan 22 15:36 journal -rw-------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:30 local.ns -rwxr-xr-x. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 0 Jan 22 15:36 mongod.lock -
Maybe the real issue is failing to create the
_tmpfolder?[root@wiki ~]# setenforce 0 [root@wiki ~]# systemctl start mongod [root@wiki ~]# ls -laZ /var/lib/mongo total 81928 drwxr-xr-x. 4 mongod mongod system_u:object_r:mongod_var_lib_t:s0 83 Jan 22 15:45 . drwxr-xr-x. 23 root root system_u:object_r:var_lib_t:s0 4096 Jan 22 15:28 .. drwxr-xr-x. 2 mongod mongod system_u:object_r:mongod_var_lib_t:s0 18 Jan 22 15:45 journal -rw-------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0 -rw-------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns -rwxr-xr-x. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 4 Jan 22 15:45 mongod.lock drwxr-xr-x. 2 mongod mongod system_u:object_r:mongod_var_lib_t:s0 6 Jan 22 15:45 _tmp[root@wiki ~]# systemctl stop mongod [root@wiki ~]# setenforce 1 [root@wiki ~]# systemctl start mongod Job for mongod.service failed because the control process exited with error code. See "systemctl status mongod.service" and "journalctl -xe" for details. [root@wiki ~]# ls -laZ /var/lib/mongo total 81924 drwxr-xr-x. 3 mongod mongod system_u:object_r:mongod_var_lib_t:s0 71 Jan 22 15:46 . drwxr-xr-x. 23 root root system_u:object_r:var_lib_t:s0 4096 Jan 22 15:28 .. drwxr-xr-x. 2 mongod mongod system_u:object_r:mongod_var_lib_t:s0 6 Jan 22 15:46 journal -rw-------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0 -rw-------. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns -rwxr-xr-x. 1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 0 Jan 22 15:46 mongod.lock -
@jaredbusch does
sealert -a /var/log/audit/audit.logtell you anything? -
That it is blocking access to the
local.nsfile.[root@wiki ~]# sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing mongod from map access on the file /var/lib/mongo/local.ns. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mongod should be allowed map access on the local.ns file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mongod' --raw | audit2allow -M my-mongod # semodule -X 300 -i my-mongod.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context system_u:object_r:mongod_var_lib_t:s0 Target Objects /var/lib/mongo/local.ns [ file ] Source mongod Source Path mongod Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.21.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name wiki.ad.bundystl.com Platform Linux wiki.ad.bundystl.com 4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64 Alert Count 7 First Seen 2018-01-22 15:30:30 CST Last Seen 2018-01-22 15:46:18 CST Local ID dde5689b-9ab0-422a-b57b-d996b8a4445a Raw Audit Messages type=AVC msg=audit(1516657578.317:251): avc: denied { map } for pid=1038 comm="mongod" path="/var/lib/mongo/local.ns" dev="dm-0" ino=101113146 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_var_lib_t:s0 tclass=file permissive=0 Hash: mongod,mongod_t,mongod_var_lib_t,file,map -
This post is deleted! -
Have not see that issue but I'm also using mongodb that is available from Fedora instead.
/var/lib/mongo/doesn't exist for me. But/var/lib/mongodbdoes exist. I also do have local.ns too. -
@black3dynamite said in SELinux issue with MongoDB on Fedora 27:
Have not see that issue but I'm also using mongodb that is available from Fedora instead.
/var/lib/mongo/doesn't exist for me. But/var/lib/mongodbdoes exist. I also do have local.ns too./sigh
FFS @jaredbusch pay attention to what you are doing. don't use old versions.
-
Summary here is I used Mongo 2.4 or something. wasn't paying attention to what I was doing.
On current 3.4, it has no issues.
-
@jaredbusch said in SELinux issue with MongoDB on Fedora 27:
@black3dynamite said in SELinux issue with MongoDB on Fedora 27:
Have not see that issue but I'm also using mongodb that is available from Fedora instead.
/var/lib/mongo/doesn't exist for me. But/var/lib/mongodbdoes exist. I also do have local.ns too./sigh
FFS @jaredbusch pay attention to what you are doing. don't use old versions.
Long day when you have to sigh and FFS at yourself.
-
@brrabill said in SELinux issue with MongoDB on Fedora 27:
@jaredbusch said in SELinux issue with MongoDB on Fedora 27:
@black3dynamite said in SELinux issue with MongoDB on Fedora 27:
Have not see that issue but I'm also using mongodb that is available from Fedora instead.
/var/lib/mongo/doesn't exist for me. But/var/lib/mongodbdoes exist. I also do have local.ns too./sigh
FFS @jaredbusch pay attention to what you are doing. don't use old versions.
Long day when you have to sigh and FFS at yourself.
Something like that, yes.
