SELinux issue with MongoDB on Fedora 27


  • Service Provider

    Steps to replicate:

    1. Install Fedora 27 Minimal,
    2. Install MongoDB Repo
    3. Install MongoDB
    4. Attempt to start service

    You will end up with this from journalctl -xe

    Jan 22 15:36:44 wiki.ad.bundystl.com audit[937]: AVC avc:  denied  { map } for  pid=937 comm="mongod" path="/var/lib/mongo/local.ns" dev="dm-0" ino=101113146 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_var_lib_t:s0 tclass=file  permissive=0
    

    Google tells me nothing useful.


  • Service Provider

    Here is what is there

    [[email protected] ~]# ls -laZ /var/lib/mongo
    total 16388
    drwxr-xr-x.  3 mongod mongod system_u:object_r:mongod_var_lib_t:s0       56 Jan 22 15:30 .
    drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:36 journal
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:30 local.ns
    -rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        0 Jan 22 15:36 mongod.lock
    

  • Service Provider

    Maybe the real issue is failing to create the _tmp folder?

    [[email protected] ~]# setenforce 0
    [[email protected] ~]# systemctl start mongod
    [[email protected] ~]# ls -laZ /var/lib/mongo
    total 81928
    drwxr-xr-x.  4 mongod mongod system_u:object_r:mongod_var_lib_t:s0       83 Jan 22 15:45 .
    drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0       18 Jan 22 15:45 journal
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns
    -rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        4 Jan 22 15:45 mongod.lock
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:45 _tmp
    
    [[email protected] ~]# systemctl stop mongod
    [[email protected] ~]# setenforce 1
    [[email protected] ~]# systemctl start mongod
    Job for mongod.service failed because the control process exited with error code.
    See "systemctl  status mongod.service" and "journalctl  -xe" for details.
    [[email protected] ~]# ls -laZ /var/lib/mongo
    total 81924
    drwxr-xr-x.  3 mongod mongod system_u:object_r:mongod_var_lib_t:s0       71 Jan 22 15:46 .
    drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:46 journal
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns
    -rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        0 Jan 22 15:46 mongod.lock
    


  • @jaredbusch does sealert -a /var/log/audit/audit.log tell you anything?


  • Service Provider

    That it is blocking access to the local.ns file.

    [[email protected] ~]# sealert -a /var/log/audit/audit.log
    100% done
    found 1 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing mongod from map access on the file /var/lib/mongo/local.ns.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that mongod should be allowed map access on the local.ns file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'mongod' --raw | audit2allow -M my-mongod
    # semodule -X 300 -i my-mongod.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:mongod_t:s0
    Target Context                system_u:object_r:mongod_var_lib_t:s0
    Target Objects                /var/lib/mongo/local.ns [ file ]
    Source                        mongod
    Source Path                   mongod
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.21.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     wiki.ad.bundystl.com
    Platform                      Linux wiki.ad.bundystl.com 4.14.13-300.fc27.x86_64
                                  #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64
    Alert Count                   7
    First Seen                    2018-01-22 15:30:30 CST
    Last Seen                     2018-01-22 15:46:18 CST
    Local ID                      dde5689b-9ab0-422a-b57b-d996b8a4445a
    
    Raw Audit Messages
    type=AVC msg=audit(1516657578.317:251): avc:  denied  { map } for  pid=1038 comm="mongod" path="/var/lib/mongo/local.ns" dev="dm-0" ino=101113146 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_var_lib_t:s0 tclass=file permissive=0
    
    
    Hash: mongod,mongod_t,mongod_var_lib_t,file,map
    


  • This post is deleted!


  • Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.


  • Service Provider

    @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

    Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

    /sigh

    FFS @jaredbusch pay attention to what you are doing. don't use old versions.


  • Service Provider

    Summary here is I used Mongo 2.4 or something. wasn't paying attention to what I was doing.

    On current 3.4, it has no issues.



  • @jaredbusch said in SELinux issue with MongoDB on Fedora 27:

    @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

    Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

    /sigh

    FFS @jaredbusch pay attention to what you are doing. don't use old versions.

    Long day when you have to sigh and FFS at yourself.


  • Service Provider

    @brrabill said in SELinux issue with MongoDB on Fedora 27:

    @jaredbusch said in SELinux issue with MongoDB on Fedora 27:

    @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

    Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

    /sigh

    FFS @jaredbusch pay attention to what you are doing. don't use old versions.

    Long day when you have to sigh and FFS at yourself.

    Something like that, yes.