Bug 1766194
| Summary: | /usr/bin/mongod throwing permissions errors in SELinux Messages log | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | spikes.galen | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.7 | CC: | lvrabec, mmalik, plautrba, ssekidde, vmojzis, zpytela | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-10-29 11:52:52 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Moving to selinux policy due this issue isn't directly related to net-snmp package. I believe this bug is a duplicate of BZ#1672245. *** This bug has been marked as a duplicate of bug 1672245 *** |
Created attachment 1629816 [details] Full logs Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install MongoDB 2. Change data directory 3. Check /var/log/messages Actual results: Oct 28 10:31:45 v2626umcth814 python: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/netstat.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that mongod should be allowed open access on the netstat file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc#012# semodule -i my-ftdc.pp#012 Oct 28 10:31:45 v2626umcth814 setroubleshoot: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/snmp. For complete SELinux messages run: sealert -l eb448851-b826-495c-96b4-07854258c061 Oct 28 10:31:45 v2626umcth814 python: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/snmp.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that mongod should be allowed open access on the snmp file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc#012# semodule -i my-ftdc.pp#012 Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=AVC msg=audit(1572273106.000:4890251): avc: denied { open } for pid=3024 comm="ftdc" path="/proc/3024/net/netstat" dev="proc" ino=4026532001 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=SYSCALL msg=audit(1572273106.000:4890251): arch=c000003e syscall=2 success=no exit=-13 a0=55b6af3d4fc0 a1=0 a2=55b6af3d4fc0 a3=ffffff80 items=1 ppid=1 pid=3024 auid=4294967295 uid=978 gid=386 euid=978 suid=978 fsuid=978 egid=386 sgid=386 fsgid=386 tty=(none) ses=4294967295 comm="ftdc" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null) Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=CWD msg=audit(1572273106.000:4890251): cwd="/" Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=PATH msg=audit(1572273106.000:4890251): item=0 name="/proc/net/netstat" inode=4026532001 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=PROCTITLE msg=audit(1572273106.000:4890251): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66 Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=AVC msg=audit(1572273106.000:4890252): avc: denied { open } for pid=3024 comm="ftdc" path="/proc/3024/net/snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=SYSCALL msg=audit(1572273106.000:4890252): arch=c000003e syscall=2 success=no exit=-13 a0=7f0f896d6500 a1=0 a2=7f0f896d6500 a3=fffffffe items=1 ppid=1 pid=3024 auid=4294967295 uid=978 gid=386 euid=978 suid=978 fsuid=978 egid=386 sgid=386 fsgid=386 tty=(none) ses=4294967295 comm="ftdc" exe="/usr/bin/mongod" subj=system_u:system_r:mongod_t:s0 key=(null) Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=CWD msg=audit(1572273106.000:4890252): cwd="/" Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=PATH msg=audit(1572273106.000:4890252): item=0 name="/proc/net/snmp" inode=4026532002 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Oct 28 10:31:46 v2626umcth814 audispd: node=v2626umcth814.rtord.epa.gov type=PROCTITLE msg=audit(1572273106.000:4890252): proctitle=2F7573722F62696E2F6D6F6E676F64002D66002F6574632F6D6F6E676F642E636F6E66 Oct 28 10:31:46 v2626umcth814 setroubleshoot: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/netstat. For complete SELinux messages run: sealert -l eb448851-b826-495c-96b4-07854258c061 Oct 28 10:31:46 v2626umcth814 python: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/netstat.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that mongod should be allowed open access on the netstat file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc#012# semodule -i my-ftdc.pp#012 Oct 28 10:31:46 v2626umcth814 setroubleshoot: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/snmp. For complete SELinux messages run: sealert -l eb448851-b826-495c-96b4-07854258c061 Oct 28 10:31:46 v2626umcth814 python: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/snmp.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that mongod should be allowed open access on the snmp file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc#012# semodule -i my-ftdc.pp#012 Expected results: Nothing Additional info: