Bug 1340251

Summary: avc: denied { execmem } when starting mongod on a fresh F24 installation
Product: [Fedora] Fedora Reporter: Randy Barlow <rbarlow>
Component: mongodbAssignee: Marek Skalický <mskalick>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 24CC: admiller, jdornak, johan.o.hedin, jpacner, mskalick, npmccallum, strobert, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongodb-3.2.6-4.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-18 18:57:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Randy Barlow 2016-05-26 20:38:48 UTC 
Description of problem:
On a fresh F24 installation I am unable to start mongod with SELinux in enforcing mode.

Version-Release number of selected component (if applicable):
mongodb-server-3.2.6-2.fc24.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1. $ sudo dnf install -y mongodb-server
2. $ sudo systemctl start mongod

Actual results:
$ sudo systemctl start mongod
Job for mongod.service failed because a fatal signal was delivered to the control process. See "systemctl status mongod.service" and "journalctl -xe" for details.

Expected results:
Mongod should start

Additional info:
$ sudo grep mongo /var/log/audit/audit.log
type=AVC msg=audit(1464294964.308:135): avc:  denied  { execmem } for  pid=805 comm="mongod" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0
type=ANOM_ABEND msg=audit(1464294964.308:136): auid=4294967295 uid=184 gid=991 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=805 comm="mongod" exe="/usr/bin/mongod" sig=11
type=SERVICE_START msg=audit(1464294964.313:137): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mongod comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

$ sudo audit2allow -al


#============= init_t ==============
allow init_t self:process execmem;
Comment 1 Randy Barlow 2016-05-26 20:47:25 UTC 
Hello Nathan!

It looks like https://bodhi.fedoraproject.org/updates/FEDORA-2016-eae91c887b fixes this issue too. I'll go ahead and mark this as MODIFIED, but you may want to add it to the Bodhi update. Thanks for fixing this before I even reported it!
Comment 2 Randy Barlow 2016-05-26 20:52:13 UTC 
According to Bodhi, it looks like Marek Skalický fixed this issue. Thanks!
Comment 3 Marek Skalický 2016-05-27 09:01:38 UTC 
Hi Randy,
thanks for testing MongoDB and reporting issues!

I've added this bug to Bodhi update.
Comment 4 Fedora Update System 2016-05-27 09:01:56 UTC 
mongodb-3.2.6-4.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-eae91c887b
Comment 5 Fedora Update System 2016-06-18 18:57:26 UTC 
mongodb-3.2.6-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.