ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Solved SELinux issue with MongoDB on Fedora 27

    IT Discussion
    mongodb selinux fedora 27
    4
    11
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by JaredBusch

      Steps to replicate:

      1. Install Fedora 27 Minimal,
      2. Install MongoDB Repo
      3. Install MongoDB
      4. Attempt to start service

      You will end up with this from journalctl -xe

      Jan 22 15:36:44 wiki.ad.bundystl.com audit[937]: AVC avc:  denied  { map } for  pid=937 comm="mongod" path="/var/lib/mongo/local.ns" dev="dm-0" ino=101113146 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_var_lib_t:s0 tclass=file  permissive=0

      Google tells me nothing useful.

      1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch
        last edited by JaredBusch

        Summary here is I used Mongo 2.4 or something. wasn't paying attention to what I was doing.

        On current 3.4, it has no issues.

        1 Reply Last reply Reply Quote 2
        • JaredBuschJ
          JaredBusch
          last edited by

          Here is what is there

          [root@wiki ~]# ls -laZ /var/lib/mongo
total 16388
drwxr-xr-x.  3 mongod mongod system_u:object_r:mongod_var_lib_t:s0       56 Jan 22 15:30 .
drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:36 journal
-rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:30 local.ns
-rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        0 Jan 22 15:36 mongod.lock
          1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch
            last edited by

            Maybe the real issue is failing to create the _tmp folder?

            [root@wiki ~]# setenforce 0
[root@wiki ~]# systemctl start mongod
[root@wiki ~]# ls -laZ /var/lib/mongo
total 81928
drwxr-xr-x.  4 mongod mongod system_u:object_r:mongod_var_lib_t:s0       83 Jan 22 15:45 .
drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0       18 Jan 22 15:45 journal
-rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0
-rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns
-rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        4 Jan 22 15:45 mongod.lock
drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:45 _tmp

            [root@wiki ~]# systemctl stop mongod
[root@wiki ~]# setenforce 1
[root@wiki ~]# systemctl start mongod
Job for mongod.service failed because the control process exited with error code.
See "systemctl  status mongod.service" and "journalctl  -xe" for details.
[root@wiki ~]# ls -laZ /var/lib/mongo
total 81924
drwxr-xr-x.  3 mongod mongod system_u:object_r:mongod_var_lib_t:s0       71 Jan 22 15:46 .
drwxr-xr-x. 23 root   root   system_u:object_r:var_lib_t:s0            4096 Jan 22 15:28 ..
drwxr-xr-x.  2 mongod mongod system_u:object_r:mongod_var_lib_t:s0        6 Jan 22 15:46 journal
-rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 67108864 Jan 22 15:45 local.0
-rw-------.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0 16777216 Jan 22 15:45 local.ns
-rwxr-xr-x.  1 mongod mongod system_u:object_r:mongod_var_lib_t:s0        0 Jan 22 15:46 mongod.lock
            wirestyle22W 1 Reply Last reply Reply Quote 0
            • wirestyle22W
              wirestyle22 @JaredBusch
              last edited by wirestyle22

              @jaredbusch does sealert -a /var/log/audit/audit.log tell you anything?

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch
                last edited by

                That it is blocking access to the local.ns file.

                [root@wiki ~]# sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing mongod from map access on the file /var/lib/mongo/local.ns.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed map access on the local.ns file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mongod' --raw | audit2allow -M my-mongod
# semodule -X 300 -i my-mongod.pp


Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:object_r:mongod_var_lib_t:s0
Target Objects                /var/lib/mongo/local.ns [ file ]
Source                        mongod
Source Path                   mongod
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.21.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     wiki.ad.bundystl.com
Platform                      Linux wiki.ad.bundystl.com 4.14.13-300.fc27.x86_64
                              #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64
Alert Count                   7
First Seen                    2018-01-22 15:30:30 CST
Last Seen                     2018-01-22 15:46:18 CST
Local ID                      dde5689b-9ab0-422a-b57b-d996b8a4445a

Raw Audit Messages
type=AVC msg=audit(1516657578.317:251): avc:  denied  { map } for  pid=1038 comm="mongod" path="/var/lib/mongo/local.ns" dev="dm-0" ino=101113146 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:mongod_var_lib_t:s0 tclass=file permissive=0


Hash: mongod,mongod_t,mongod_var_lib_t,file,map
                1 Reply Last reply Reply Quote 0
                • wirestyle22W
                  wirestyle22
                  last edited by wirestyle22

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • black3dynamiteB
                    black3dynamite
                    last edited by black3dynamite

                    Have not see that issue but I'm also using mongodb that is available from Fedora instead.
                    /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

                    JaredBuschJ 1 Reply Last reply Reply Quote 2
                    • JaredBuschJ
                      JaredBusch @black3dynamite
                      last edited by JaredBusch

                      @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

                      Have not see that issue but I'm also using mongodb that is available from Fedora instead.
                      /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

                      /sigh

                      FFS @jaredbusch pay attention to what you are doing. don't use old versions.

                      BRRABillB 1 Reply Last reply Reply Quote 4
                      • JaredBuschJ
                        JaredBusch
                        last edited by JaredBusch

                        Summary here is I used Mongo 2.4 or something. wasn't paying attention to what I was doing.

                        On current 3.4, it has no issues.

                        1 Reply Last reply Reply Quote 2
                        • BRRABillB
                          BRRABill @JaredBusch
                          last edited by

                          @jaredbusch said in SELinux issue with MongoDB on Fedora 27:

                          @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

                          Have not see that issue but I'm also using mongodb that is available from Fedora instead.
                          /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

                          /sigh

                          FFS @jaredbusch pay attention to what you are doing. don't use old versions.

                          Long day when you have to sigh and FFS at yourself.

                          JaredBuschJ 1 Reply Last reply Reply Quote 1
                          • JaredBuschJ
                            JaredBusch @BRRABill
                            last edited by

                            @brrabill said in SELinux issue with MongoDB on Fedora 27:

                            @jaredbusch said in SELinux issue with MongoDB on Fedora 27:

                            @black3dynamite said in SELinux issue with MongoDB on Fedora 27:

                            Have not see that issue but I'm also using mongodb that is available from Fedora instead.
                            /var/lib/mongo/ doesn't exist for me. But /var/lib/mongodb does exist. I also do have local.ns too.

                            /sigh

                            FFS @jaredbusch pay attention to what you are doing. don't use old versions.

                            Long day when you have to sigh and FFS at yourself.

                            Something like that, yes.

                            1 Reply Last reply Reply Quote 1
                            • 1 / 1
                            • First post
                              Last post