Bug 1599230

Summary: Mongodb 4.0 avc denied - snmp and netstat
Product: [Fedora] Fedora Reporter: Marek Skalický <mskalick>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, lvrabec, mgrepl, mmalik, pierre-yves.goubet, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-34.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-12 02:56:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Skalický 2018-07-09 09:21:00 UTC 
Description of problem:
MongoDB was rebased to latest upstream version last week in Rawhide. And I'm getting AVC denied errors.

----
time->Mon Jul  9 04:52:55 2018
type=AVC msg=audit(1531126375.000:703): avc:  denied  { read } for  pid=3005 comm="ftdc" name="snmp" dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Mon Jul  9 04:52:55 2018
type=AVC msg=audit(1531126375.000:702): avc:  denied  { read } for  pid=3005 comm="ftdc" name="netstat" dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----

Could you fix this please in SELinux policy package?


Version-Release number of selected component (if applicable):
selinux-policy-3.14.2-26.fc29.noarch
selinux-policy-targeted-3.14.2-26.fc29.noarch


How reproducible:
always in current Fedora Rawhide

Steps to Reproduce:
1. install mongodb-server rpm
2. systemctl start mongod

Actual results:
AVC denied messages

Expected results:
No SELinux fails
Comment 1 Milos Malik 2018-07-09 17:40:52 UTC 
----
type=PROCTITLE msg=audit(07/09/2018 19:39:47.004:281) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:39:47.004:281) : item=0 name=/proc/net/snmp inode=4026532055 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:39:47.004:281) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:39:47.004:281) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f6b4631a510 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:39:47.004:281) : avc:  denied  { read } for  pid=2282 comm=ftdc name=snmp dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(07/09/2018 19:39:46.001:278) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:39:46.001:278) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:39:46.001:278) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:39:46.001:278) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55946894e920 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:39:46.001:278) : avc:  denied  { read } for  pid=2282 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 
----
Comment 2 Milos Malik 2018-07-09 17:42:16 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/09/2018 19:41:24.001:442) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:41:24.001:442) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:41:24.001:442) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:41:24.001:442) : arch=x86_64 syscall=openat success=yes exit=30 a0=0xffffff9c a1=0x55e50a034ca0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2991 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc:  denied  { open } for  pid=2991 comm=ftdc path=/proc/2991/net/netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc:  denied  { read } for  pid=2991 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 
----
Comment 3 Marek Skalický 2018-07-11 06:45:57 UTC 
To note: MongoDB is expected to do this, because it collects diagnostic data - FTDC name.
Comment 4 Lukas Vrabec 2018-07-20 12:22:20 UTC 
Milos, 

Thanks for testing it on Fedora :)
Comment 5 Jan Kurik 2018-08-14 11:17:09 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 6 Marek Skalický 2018-08-14 11:47:28 UTC 
Would it be possible to backport this to F28? Should I create a new bug?
Comment 7 Lukas Vrabec 2018-08-23 11:06:28 UTC 
lvrabec@lvrabec-workstation /tmp » audit2allow -i avc 


#============= mongod_t ==============

#!!!! This avc is allowed in the current policy
allow mongod_t proc_net_t:file { open read };
lvrabec@lvrabec-workstation /tmp » rpm -q selinux-policy
selinux-policy-3.14.1-40.fc28.noarch


Should be fixed in the latest selinux-policy rpm package.
Comment 8 Fedora Update System 2018-09-11 12:50:18 UTC 
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
Comment 9 Fedora Update System 2018-09-12 02:56:35 UTC 
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.