Bug 1306819
Summary: | SELinux Prevents Mongodb from writing to syslog | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Seth Kress <kresss> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 23 | CC: | admiller, bretm, dominick.grift, dwalsh, jdornak, johan.o.hedin, jpacner, lvrabec, mgrepl, mskalick, npmccallum, plautrba, strobert, tdawson | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-158.7.fc23 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1306995 (view as bug list) | Environment: | |||||
Last Closed: | 2016-02-26 19:24:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1306995 | ||||||
Attachments: |
|
Moving to selinux-policy. This bug affect all versions of Fedora and also EPEL. SELinux info from F23: SELinux is preventing mongod from create access on the unix_dgram_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mongod /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context system_u:system_r:mongod_t:s0 Target Objects Unknown [ unix_dgram_socket ] Source mongod Source Path mongod Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.4.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.3.5-300.fc23.x86_64 #1 SMP Mon Feb 1 03:18:41 UTC 2016 x86_64 x86_64 Alert Count 18 First Seen 2016-02-12 11:55:02 CET Last Seen 2016-02-12 11:55:04 CET Local ID e337899f-d93d-4e16-87cc-946bb15094ca Raw Audit Messages type=AVC msg=audit(1455274504.344:4698): avc: denied { create } for pid=10112 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket permissive=0 Hash: mongod,mongod_t,mongod_t,unix_dgram_socket,create commit ce02c3567f10a859cc74293009cdeca3e3e583ae Author: Lukas Vrabec <lvrabec> Date: Mon Feb 15 13:19:18 2016 +0100 Allow create mongodb unix dgram sockets. rhbz#1306819 selinux-policy-3.13.1-158.7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1123284 [details] sealert output. Description of problem: Mongod cannot start when configured to log to syslog. Version-Release number of selected component (if applicable): mongodb.x86_64 2.6.11-1.el7 mongodb-server.x86_64 2.6.11-1.el7 How reproducible: Always. Steps to Reproduce: 1. Install mongodb-server 2. Configure to use syslog loging. Edit /etc/mongod.conf and set the following: syslog = true syslogFacility = user #logpath = /var/log/mongodb/mongod.log 3. Start mongod # systemctl start mongod Actual results: Lots of denials. From /var/log/messages Feb 11 18:57:47 happy setroubleshoot: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 93b4d9c4-7003-4caa-b882-ac5b0d4ab85e Feb 11 18:57:47 happy python: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep mongod /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012 Expected results: Mongod writes out to syslog and no selinux denials. Maybe this should/does require an sebool? Additional info: