Bug 752331

Summary: SELinux is preventing mongod from name_bind access on the tcp_socket port 28017
Product: [Fedora] Fedora Reporter: Mads Villadsen <maxx>
Component: mongodbAssignee: Nathaniel McCallum <nathaniel>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: clalancette, linuxnow, nathaniel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mongodb-2.0.2-8.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 09:01:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mads Villadsen 2011-11-09 07:57:02 UTC 
Description of problem:
When starting the mongod service I get an selinux error.

Version-Release number of selected component (if applicable):
mongodb-1.8.2-9.fc16.x86_64
mongodb-server-1.8.2-9.fc16.x86_64
libmongodb-1.8.2-9.fc16.x86_64


Additional info:
Output from sealert:

SELinux is preventing mongod from name_bind access on the tcp_socket port 28017.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mongod should be allowed name_bind access on the port 28017 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 28017 [ tcp_socket ]
Source                        mongod
Source Path                   mongod
Port                          28017
Host                          siamese
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-46.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     siamese
Platform                      Linux siamese 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1
                              21:10:48 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 09 Nov 2011 08:53:17 AM CET
Last Seen                     Wed 09 Nov 2011 08:53:17 AM CET
Local ID                      9ec9a387-9365-4252-90e8-f3a1c6923f52

Raw Audit Messages
type=AVC msg=audit(1320825197.842:374): avc:  denied  { name_bind } for  pid=17037 comm="mongod" src=28017 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


Hash: mongod,mongod_t,unreserved_port_t,tcp_socket,name_bind

audit2allow

#============= mongod_t ==============
allow mongod_t unreserved_port_t:tcp_socket name_bind;

audit2allow -R

#============= mongod_t ==============
allow mongod_t unreserved_port_t:tcp_socket name_bind;
Comment 1 Chris Lalancette 2011-11-29 04:32:46 UTC 
Oh, very interesting.  I'm seeing this problem here as well, but I see why it doesn't affect anything.

When I start up mongod, I get an AVC that looks like:

type=AVC msg=audit(1322540873.004:69): avc:  denied  { name_bind } for  pid=993 comm="mongod" src=28017 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Notice that it says pid=993.  However, my currently running mongod process seems to be PID 986.  What that seems to say to me is that mongod is forking some helper process during bootup, leaking a file descriptor, and that is being reported as an AVC.  It is probably mostly harmless, but it is indeed a bug.  I'll see if I can find some time to track down the file descriptor leak.

Thanks for the report.
Comment 2 Fedora Admin XMLRPC Client 2012-02-03 18:49:41 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Fedora Update System 2012-02-03 19:30:36 UTC 
mongodb-2.0.2-8.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mongodb-2.0.2-8.fc15
Comment 4 Fedora Update System 2012-02-03 19:31:01 UTC 
mongodb-2.0.2-8.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/mongodb-2.0.2-8.fc16
Comment 5 Nathaniel McCallum 2012-02-03 21:35:16 UTC 
*** Bug 787173 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2012-02-04 05:31:44 UTC 
Package mongodb-2.0.2-8.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mongodb-2.0.2-8.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1293/mongodb-2.0.2-8.fc16
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-02-14 09:01:01 UTC 
mongodb-2.0.2-8.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-02-14 09:11:09 UTC 
mongodb-2.0.2-8.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.