Bug 952827

+++ This bug was initially created as a clone of Bug #926991 +++

Description of problem:
mongod (in package mongodb-server) uses port 27017 as its standard port. It also uses 28017 as it's standard http interface port. The current policy only include 27017 in mongod_port_t thus preventing mongod to bind to its default http interface port.

The lack of ports in mongod_port_t also prevents mongod to operate in it's two other roles as config server or shard server.


Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-85.fc18


How reproducible:
Every time.


Steps to Reproduce:
For http interface problem:
1. Make sure that nohttpinterface is not set to true in /etc/mongodb.conf

2. Start mongod; systemctl start mongod.service

For the ports 27018 and 27019:
1. Change port in /etc/mongodb.conf to 27018 or 27019 and make sure that nohttpinterface is not set to true.

2. Start mongod; systemctl start mongod.service

  
Actual results:
If mongod can't bind to the the http interface port, it still starts but without its http inteface. If mongod can't bind to 27018 or 27019 it does not start at all.


Expected results:
mongod should start normally and be able to bind to 27017 and 28017, 27018 and 28018 or 27019 and 28019.


Additional info:
Depending on what role mongod has, it uses one of three standard ports. 27017, 27018 or 27019. Also, if the http interface is enabled, mongod will bind to ports 28018, 28018 or 28019 respectively (standard port + 1000).

The six standard ports for mongod is documented here: http://docs.mongodb.org/manual/administration/security/#security-port-numbers.

Parts of this problem has been reported here: https://bugzilla.redhat.com/show_bug.cgi?id=752331 and here: https://bugzilla.redhat.com/show_bug.cgi?id=787173 but has not been resolved.

Please add ports 27018, 27019, 28017, 28018 and 28019 to mongod_port_t.

--- Additional comment from Miroslav Grepl on 2013-03-25 07:04:23 EDT ---

commit 094d3af949fb0040fb04c123131c85c2e772b68f
Author: Miroslav Grepl <mgrepl>
Date:   Mon Mar 25 12:02:49 2013 +0100

    Add additional ports as mongod_port_t for  27018, 27019, 28017, 28018 and 28019 ports

--- Additional comment from Fedora Update System on 2013-04-15 07:10:08 EDT ---

selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

--- Additional comment from Fedora Update System on 2013-04-15 20:05:39 EDT ---

Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

--- Additional comment from Johan Hedin on 2013-04-16 14:56:38 EDT ---

selinux-policy-3.11.1-90.fc18 fixes the problem.

One question though; will this eventually propagate to RHEL 6 as well? The policy for mongod in RHEL 6 (or CentOS in my case) is quite similar to the one in Fedora but does not at this point enforce the ports.

So, will this change and will this addition to the policy be in there when it does?