SELinux issue with MongoDB on Fedora 27


  • Service Provider

    Steps to replicate:

    1. Install Fedora 27 Minimal,
    2. Install MongoDB Repo
    3. Install MongoDB
    4. Attempt to start service

    You will end up with this from journalctl -xe

    Jan 22 15:36:44 wiki.ad.bundystl.com audit[937]: AVC avc:  denied  { map } for  pid=937 comm="mongod" path="/var/lib/mongo/local.ns" dev="dm-0" ino=101113146 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_var_lib_t:s0 tclass=file  permissive=0
    

    Google tells me nothing useful.


  • Service Provider

    Here is what is there

    [[email protected] ~]# ls -laZ /var/lib/mongo
    total 16388
    drwxr-xr-x.  3 mongod mongod system_u:object_r:mongod_var_lib_t:s0       56 Jan 22 15:30 .
    drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:36 journal
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:30 local.ns
    -rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        0 Jan 22 15:36 mongod.lock
    

  • Service Provider

    Maybe the real issue is failing to create the _tmp folder?

    [[email protected] ~]# setenforce 0
    [[email protected] ~]# systemctl start mongod
    [[email protected] ~]# ls -laZ /var/lib/mongo
    total 81928
    drwxr-xr-x.  4 mongod mongod system_u:object_r:mongod_var_lib_t:s0       83 Jan 22 15:45 .
    drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0       18 Jan 22 15:45 journal
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns
    -rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        4 Jan 22 15:45 mongod.lock
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:45 _tmp
    
    [[email protected] ~]# systemctl stop mongod
    [[email protected] ~]# setenforce 1
    [[email protected] ~]# systemctl start mongod
    Job for mongod.service failed because the control process exited with error code.
    See "systemctl  status mongod.service" and "journalctl  -xe" for details.
    [[email protected] ~]# ls -laZ /var/lib/mongo
    total 81924
    drwxr-xr-x.  3 mongod mongod system_u:object_r:mongod_var_lib_t:s0       71 Jan 22 15:46 .
    drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
    drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:46 journal
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0
    -rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns
    -rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        0 Jan 22 15:46 mongod.lock
    


  • @jaredbusch does sealert -a /var/log/audit/audit.log tell you anything?


  • Service Provider

    That it is blocking access to the local.ns file.

    [[email protected] ~]# sealert -a /var/log/audit/audit.log
    100% done
    found 1 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing mongod from map access on the file /var/lib/mongo/local.ns.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that mongod should be allowed map access on the local.ns file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'mongod' --raw | audit2allow -M my-mongod
    # semodule -X 300 -i my-mongod.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:mongod_t:s0
    Target Context                system_u:object_r:mongod_var_lib_t:s0
    Target Objects                /var/lib/mongo/local.ns [ file ]
    Source                        mongod
    Source Path                   mongod
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           
    Policy RPM                    selinux-policy-3.13.1-283.21.fc27.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     wiki.ad.bundystl.com
    Platform                      Linux wiki.ad.bundystl.com 4.14.13-300.fc27.x86_64
                                  #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64
    Alert Count                   7
    First Seen                    2018-01-22 15:30:30 CST
    Last Seen                     2018-01-22 15:46:18 CST
    Local ID                      dde5689b-9ab0-422a-b57b-d996b8a4445a
    
    Raw Audit Messages
    type=AVC msg=audit(1516657578.317:251): avc:  denied  { map } for  pid=1038 comm="mongod" path="/var/lib/mongo/local.ns" dev="dm-0" ino=101113146 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_var_lib_t:s0 tclass=file permissive=0
    
    
    Hash: mongod,mongod_t,mongod_var_lib_t,file,map
    


  • This post is deleted!


  • Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.


  • Service Provider

    @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

    Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

    /sigh

    FFS @jaredbusch pay attention to what you are doing. don't use old versions.


  • Service Provider

    Summary here is I used Mongo 2.4 or something. wasn't paying attention to what I was doing.

    On current 3.4, it has no issues.



  • @jaredbusch said in SELinux issue with MongoDB on Fedora 27:

    @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

    Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

    /sigh

    FFS @jaredbusch pay attention to what you are doing. don't use old versions.

    Long day when you have to sigh and FFS at yourself.


  • Service Provider

    @brrabill said in SELinux issue with MongoDB on Fedora 27:

    @jaredbusch said in SELinux issue with MongoDB on Fedora 27:

    @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

    Have not see that issue but I'm also using mongodb that is available from Fedora instead.
    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

    /sigh

    FFS @jaredbusch pay attention to what you are doing. don't use old versions.

    Long day when you have to sigh and FFS at yourself.

    Something like that, yes.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.