Bug 1204024

Summary: Missing policy for mongodb
Product: Red Hat Enterprise Linux 7 Reporter: Marek Skalický <mskalick>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: admiller, bgollahe, dominick.grift, dwalsh, extras-qa, hhorak, jdornak, jherrman, jim, johan.o.hedin, jpacner, lvrabec, mgrepl, mmalik, mskalick, nathaniel, plautrba, pvrabec, ssekidde, strobert, tdawson
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-24.el7 Doc Type: Bug Fix
Doc Text:
Prior to this update, when using SELinux in Enforcing mode, certain commands in the mongo shell failed due to an incomplete MongoDB policy. This update adjusts the MongoDB policy to address this problem, and the impacted commands now work in the mongo shell as expected.
 Story Points: ---
Clone Of: 1174740
: 1212970 (view as bug list) Environment:
Last Closed: 2015-11-19 10:27:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1174740    
Bug Blocks: 1208765, 1212970    

Description Marek Skalický 2015-03-20 07:47:25 UTC 
+++ This bug was initially created as a clone of Bug #1174740 +++

Description of problem:
Selinux does not allow to execute some command in mongo shell.

mongoDB should have allowed execmem:
allow mongod_t self:process { execmem }; fixs it...

Version-Release number of selected component (if applicable):
Packages mongodb and mongodb-server from version 2.6. Now it is in Rawhide and EPEL 7.
(for mongodb 2.4 it is working correctly)

How reproducible:

Steps to Reproduce:
1. run mongo shell and enter these commands
2. 
> t = db.jstests_and
> t.drop()
> t.save( {a:[1,2]} )
> t.count( {a:'foo',$where:'this.a=="foo"'} )

Actual results:
2014-12-16T12:53:17.034+0100 DBClientCursor::init call() failed
2014-12-16T12:53:17.035+0100 Error: error doing query: failed at src/mongo/shell/query.js:81
2014-12-16T12:53:17.038+0100 trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed
2014-12-16T12:53:17.074+0100 warning: Failed to connect to 127.0.0.1:27017, reason: errno:111 Connection refused
2014-12-16T12:53:17.074+0100 reconnect 127.0.0.1:27017 (127.0.0.1) failed failed couldn't connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed

Expected results:
t.count( {a:'foo',$where:'this.a=="foo"'} ) should return 0


Additional info:
SELinux log:

SELinux is preventing mongod from using the execmem access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed execmem access on processes labeled mongod_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:system_r:mongod_t:s0
Target Objects                Unknown [ process ]
Source                        mongod
Source Path                   mongod
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-100.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.18.0-1.fc22.x86_64
                              #1 SMP Tue Dec 9 14:49:38 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-12-16 11:10:55 CET
Last Seen                     2014-12-16 11:40:02 CET
Local ID                      526830df-89d6-4524-8ee7-d9cb5bbe2e1e

Raw Audit Messages
type=AVC msg=audit(1418726402.258:697): avc:  denied  { execmem } for  pid=17279 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process permissive=0


Hash: mongod,mongod_t,mongod_t,process,execmem

--- Additional comment from Milos Malik on 2014-12-16 08:26:55 EST ---

This might be a compiler issue.

--- Additional comment from Milos Malik on 2014-12-16 08:28:14 EST ---

http://www.akkadia.org/drepper/selinux-mem.html

--- Additional comment from Marek Skalický on 2015-01-05 10:05:41 EST ---

mongod requires execmem because it uses V8 JS engine - https://groups.google.com/forum/#!topic/mongodb-dev/4Gwi7yc1SvY (disabling scripting will result in greatly limited functionality).

How other applications using v8 solve this problem?

--- Additional comment from Honza Horak on 2015-01-13 10:14:45 EST ---

I believe there could be some SELinux boolean for allowing mongodb to execmem access, similar to variables httpd_execmem, cups_execmem, etc.

--- Additional comment from Jaroslav Reznik on 2015-03-03 11:37:31 EST ---

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 1 Honza Horak 2015-03-20 08:01:35 UTC 
Since we encounter this issue in rh-mongodb26-mongodb in RHSCL-2.0, we need to handle it somehow there *very soon*, but I'm not sure if this fix gets into selinux-policy soon enough. Mirku, is there any work-around we can use in mongodb deamon right now? Or is there any way user can allow it himself?

I'm not sure if this is the right way to work-around it:

   #> cat local.te 

   module local 1.0;

   require {
	   type mongod_t;
	   class process execmem;
   }

   #============= mongod_t ==============
   allow mongod_t self:process execmem;

   #> checkmodule -M -m -o local.mod local.te
   #> semodule_package -o local.pp -m local.mod
   #> semodule -i local.pp


And if we can advice something like that until it get fixed in selinux-policy.
Comment 2 Honza Horak 2015-04-03 08:52:33 UTC 
Just FTR there is not problem in RHEL-6, because RHEL-6 policy allows it by default. No need to enable any booleans.

# rpm -qa selinux-policy\*
selinux-policy-3.7.19-262.el6.noarch
selinux-policy-targeted-3.7.19-262.el6.noarch
selinux-policy-mls-3.7.19-262.el6.noarch
selinux-policy-doc-3.7.19-262.el6.noarch
selinux-policy-minimum-3.7.19-262.el6.noarch
# sesearch -s mongod_t -t mongod_t -c process -A -C -p execmem
Found 3 semantic av rules:
   allow mongod_t mongod_t : process { fork transition sigchld signal getsched setsched execmem } ; 
ET allow mongod_t mongod_t : process execmem ; [ allow_execmem ]
ET allow mongod_t mongod_t : process { execmem execstack } ; [ allow_execstack ]
Comment 7 errata-xmlrpc 2015-11-19 10:27:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html