Description of problem:
Selinux does not allow to execute some command in mongo shell.
mongoDB should have allowed execmem:
allow mongod_t self:process { execmem }; fixs it...
Version-Release number of selected component (if applicable):
Packages mongodb and mongodb-server from version 2.6. Now it is in Rawhide and EPEL 7.
(for mongodb 2.4 it is working correctly)
How reproducible:
Steps to Reproduce:
1. run mongo shell and enter these commands
2.
> t = db.jstests_and
> t.drop()
> t.save( {a:[1,2]} )
> t.count( {a:'foo',$where:'this.a=="foo"'} )
Actual results:
2014-12-16T12:53:17.034+0100 DBClientCursor::init call() failed
2014-12-16T12:53:17.035+0100 Error: error doing query: failed at src/mongo/shell/query.js:81
2014-12-16T12:53:17.038+0100 trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed
2014-12-16T12:53:17.074+0100 warning: Failed to connect to 127.0.0.1:27017, reason: errno:111 Connection refused
2014-12-16T12:53:17.074+0100 reconnect 127.0.0.1:27017 (127.0.0.1) failed failed couldn't connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed
Expected results:
t.count( {a:'foo',$where:'this.a=="foo"'} ) should return 0
Additional info:
SELinux log:
SELinux is preventing mongod from using the execmem access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mongod should be allowed execmem access on processes labeled mongod_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:mongod_t:s0
Target Context system_u:system_r:mongod_t:s0
Target Objects Unknown [ process ]
Source mongod
Source Path mongod
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-100.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.18.0-1.fc22.x86_64
#1 SMP Tue Dec 9 14:49:38 UTC 2014 x86_64 x86_64
Alert Count 2
First Seen 2014-12-16 11:10:55 CET
Last Seen 2014-12-16 11:40:02 CET
Local ID 526830df-89d6-4524-8ee7-d9cb5bbe2e1e
Raw Audit Messages
type=AVC msg=audit(1418726402.258:697): avc: denied { execmem } for pid=17279 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process permissive=0
Hash: mongod,mongod_t,mongod_t,process,execmem
#============= mongod_t ==============
#!!!! This avc is allowed in the current policy
allow mongod_t self:process execmem;
[root@localhost ~]# rpm -q selinux-policy
selinux-policy-3.13.1-119.fc23.noarch
Fixed also in F22
Description of problem: Selinux does not allow to execute some command in mongo shell. mongoDB should have allowed execmem: allow mongod_t self:process { execmem }; fixs it... Version-Release number of selected component (if applicable): Packages mongodb and mongodb-server from version 2.6. Now it is in Rawhide and EPEL 7. (for mongodb 2.4 it is working correctly) How reproducible: Steps to Reproduce: 1. run mongo shell and enter these commands 2. > t = db.jstests_and > t.drop() > t.save( {a:[1,2]} ) > t.count( {a:'foo',$where:'this.a=="foo"'} ) Actual results: 2014-12-16T12:53:17.034+0100 DBClientCursor::init call() failed 2014-12-16T12:53:17.035+0100 Error: error doing query: failed at src/mongo/shell/query.js:81 2014-12-16T12:53:17.038+0100 trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed 2014-12-16T12:53:17.074+0100 warning: Failed to connect to 127.0.0.1:27017, reason: errno:111 Connection refused 2014-12-16T12:53:17.074+0100 reconnect 127.0.0.1:27017 (127.0.0.1) failed failed couldn't connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed Expected results: t.count( {a:'foo',$where:'this.a=="foo"'} ) should return 0 Additional info: SELinux log: SELinux is preventing mongod from using the execmem access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mongod should be allowed execmem access on processes labeled mongod_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mongod /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context system_u:system_r:mongod_t:s0 Target Objects Unknown [ process ] Source mongod Source Path mongod Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-100.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.18.0-1.fc22.x86_64 #1 SMP Tue Dec 9 14:49:38 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-12-16 11:10:55 CET Last Seen 2014-12-16 11:40:02 CET Local ID 526830df-89d6-4524-8ee7-d9cb5bbe2e1e Raw Audit Messages type=AVC msg=audit(1418726402.258:697): avc: denied { execmem } for pid=17279 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process permissive=0 Hash: mongod,mongod_t,mongod_t,process,execmem