Bug 1672245

Summary:	mongod denied access to open and read /proc/net/netstat for Diagnostic Parameters (FTDC)
Product:	Red Hat Enterprise Linux 7	Reporter:	Deepu K S <dkochuka>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	low
Version:	7.6	CC:	dkochuka, lvrabec, mgrepl, mmalik, plautrba, spikes.galen, ssekidde, vmojzis, zpytela
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-02-28 19:12:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Deepu K S 2019-02-04 11:11:52 UTC

Description of problem:
In MongoDB community edition 3.4.16, 3.6.6, 4.0.0 and later versions, mongod tries to read netstat info from /proc/net and store it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400

This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which also typically has symlinks (e.g. /proc/net/snmp).

Upstream PR is https://github.com/fedora-selinux/selinux-policy-contrib/pull/79 and merged to Fedora 28, 29.

We request to backport the fix to RHEL 7.


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 7.6
selinux-policy-3.13.1-229.el7_6.5.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install instructions are here,
https://jira.mongodb.org/browse/SERVER-38704

This is the MongoDB bug report.


Actual results:
# tail -f /var/log/audit/audit.log | grep -i ftdc | grep denied
type=AVC msg=audit(1549277003.001:17379): avc:  denied  { read } for  pid=6157 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1549277004.005:17380): avc:  denied  { read } for  pid=6157 comm="ftdc" name="netstat" dev="proc" ino=4026532001 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1549277004.005:17381): avc:  denied  { read } for  pid=6157 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1549277005.005:17382): avc:  denied  { read } for  pid=6157 comm="ftdc" name="netstat" dev="proc" ino=4026532001 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1549277005.005:17383): avc:  denied  { read } for  pid=6157 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1549277006.001:17384): avc:  denied  { read } for  pid=6157 comm="ftdc" name="netstat" dev="proc" ino=4026532001 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1549277006.001:17385): avc:  denied  { read } for  pid=6157 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


Expected results:
No SELinux denials.

Additional info:

Comment 3 Zdenek Pytela 2019-02-28 19:12:22 UTC

This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 4 Lukas Vrabec 2019-10-29 11:52:52 UTC

*** Bug 1766194 has been marked as a duplicate of this bug. ***