Bug 1209942

Summary: RHSCL mongodb-scl-helper
Product: Red Hat Enterprise Linux 7 Reporter: Marek Skalický <mskalick>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: bgollahe, jherrman, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-25.el7 Doc Type: Bug Fix
Doc Text:
The support for the /usr/libexec/mongodb-scl-helper script for Red Hat Software Collections has been added to the selinux-policy package. This script ensures that the proper SELinux domain is used for daemons in the MongoDB database contained in the Red Hat Software Collections.
 Story Points: ---
Clone Of:
: 1214755 (view as bug list) Environment:
Last Closed: 2015-11-19 10:31:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1208765, 1214755    

Description Marek Skalický 2015-04-08 13:36:04 UTC 
Description of problem:
To use proper selinux domain for daemons in RHSCL mongodb there is mongodb-scl-helper which should fix it. If this script have domain mongod_exec_t (it should be so), there are two new SELinux AVCs:

-------------------------------------------------------------------------------
Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                /var/lib/sss [ dir ]
Source                        mongodb_safe-sc
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          unused-4-144.brq.redhat.com
Source RPM Packages           bash-4.2.46-12.el7.x86_64
Target RPM Packages           sssd-common-1.12.2-58.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     unused-4-144.brq.redhat.com
Platform                      Linux unused-4-144.brq.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29
18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   4
First Seen                    2015-03-19 16:53:04 CET
Last Seen                     2015-03-19 16:53:05 CET
Local ID                      84a2d443-e55e-4a6a-a6b6-a7b213101c68

Raw Audit Messages
type=AVC msg=audit(1426780385.96:447): avc:  denied  { search } for
pid=4384 comm="scl_enabled" name="sss" dev="dm-0" ino=9427030
scontext=system_u:system_r:mongod_t:s0
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1426780385.96:447): arch=x86_64 syscall=connect
success=no exit=EACCES a0=3 a1=7fffdbe79a20 a2=6e a3=7fffdbe79740
items=0 ppid=4373 pid=4384 auid=4294967295 uid=184 gid=989 euid=184
suid=184 fsuid=184 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295
comm=scl_enabled exe=/usr/bin/bash subj=system_u:system_r:mongod_t:s0
key=(null)

Hash: mongodb_safe-sc,mongod_t,sssd_var_lib_t,dir,search

-------------------------------------------------------------------------------

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        mongodb_safe-sc
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          unused-4-144.brq.redhat.com
Source RPM Packages           bash-4.2.46-12.el7.x86_64
Target RPM Packages           setup-2.8.71-5.el7.noarch
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     unused-4-144.brq.redhat.com
Platform                      Linux unused-4-144.brq.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29
18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   4
First Seen                    2015-03-19 16:53:04 CET
Last Seen                     2015-03-19 16:53:05 CET
Local ID                      065763b3-3671-45c6-9f27-ace9762df5a7

Raw Audit Messages
type=AVC msg=audit(1426780385.96:445): avc:  denied  { read } for
pid=4384 comm="scl_enabled" name="passwd" dev="dm-0" ino=9594119
scontext=system_u:system_r:mongod_t:s0
tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1426780385.96:445): arch=x86_64 syscall=open
success=no exit=EACCES a0=7f3a08b50d8a a1=80000 a2=1b6 a3=0 items=0
ppid=4373 pid=4384 auid=4294967295 uid=184 gid=989 euid=184 suid=184
fsuid=184 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295
comm=scl_enabled exe=/usr/bin/bash subj=system_u:system_r:mongod_t:s0
key=(null)

Hash: mongodb_safe-sc,mongod_t,passwd_file_t,file,read

-------------------------------------------------------------------------------

See discussion in bug 1202013
Comment 2 Miroslav Grepl 2015-04-22 09:05:39 UTC 
commit 96db7294ddc100d96170f15870f619d4c7a2b932
Author: Miroslav Grepl <mgrepl>
Date:   Wed Apr 22 11:03:51 2015 +0200

    Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
Comment 7 errata-xmlrpc 2015-11-19 10:31:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html