Bug 972340
| Summary: | SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory mongo. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | stevdrey |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | dominick.grift, dwalsh, mark, mgrepl, s, stevdrey |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:7cfc72144459967cfe21c88d3ca3cb2d69674e4e2e93e56a8aad528c8e8ee1f1 | ||
| Fixed In Version: | selinux-policy-3.11.1-100.fc18 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-08-15 02:53:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
What does # rpm -ql mongo-10gen-server-2.4.4-mongodb_1.i686 Also it does not come from Fedora, right? I think it's time for you to talk to each other https://jira.mongodb.org/browse/SERVER-8881 The bug from 10gen is suggesting that this is a regression between Fedora 17 and 18. The same issue is affecting Fedora 19 as well. According to their JIRA issue: "In the SELinux policy in Fedora 17, /var/lib/mongo is labeled mongod_var_lib_t and the 10gen RPM:s should work as expected. In Fedora 18 (and RHEL/CentOS/SL 6 as well), the policy is lacking this label rule." rpm -ql mongo-10gen-server.x86_64 /etc/mongod.conf /etc/rc.d/init.d/mongod /etc/sysconfig/mongod /usr/bin/mongod /usr/bin/mongos /usr/share/man/man1/mongod.1 /usr/share/man/man1/mongos.1 /var/lib/mongo /var/log/mongo /var/log/mongo/mongod.log The package comes from 10gen (the developer) using their repo at http://downloads-distro.mongodb.org/repo/redhat/os/x86_64 . As you can see in comment 3, someone on 10gen's JIRA issue claims that this used to be part of the selinux-policy back in Fedora 17 but was removed. Ok the mongodb that we ship has the following paths rpm -q mongodb-server -l| grep /var /var/lib/mongodb /var/log/mongodb /var/run/mongodb Which we label correctly. 936911269cb82447d62c3934ebb08265a9b8dc70 fixes this in git. Back ported. selinux-policy-3.11.1-99.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-99.fc18 Package selinux-policy-3.11.1-99.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-99.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14256/selinux-policy-3.11.1-99.fc18 then log in and leave karma (feedback). How to get this in Fedora 19? selinux-policy-3.11.1-100.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-100.fc18 It should show up there also. selinux-policy-3.11.1-100.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. Fedora 19 is affected also. How to get this fix on it? Should be fixed in selinux-policy-3.12.1-70 |
Description of problem: I just try to start the deamon mongod SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory mongo. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow mongod to have write access on the mongo directory Then necesita modificar la etiqueta en mongo Do # semanage fcontext -a -t FILE_TYPE 'mongo' donde FILE_TYPE es uno de los siguientes: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_log_t, var_run_t. Luego ejecute: restorecon -v 'mongo' ***** Plugin catchall (17.1 confidence) suggests *************************** If cree que de manera predeterminada, mongod debería permitir acceso write sobre mongo directory. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep mongod /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context unconfined_u:object_r:var_t:s0 Target Objects mongo [ dir ] Source mongod Source Path /usr/bin/mongod Port <Unknown> Host (removed) Source RPM Packages mongo-10gen-server-2.4.4-mongodb_1.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.4-200.fc18.i686 #1 SMP Fri May 24 20:35:02 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-06-08 10:55:41 CST Last Seen 2013-06-08 10:55:41 CST Local ID d419996f-219d-4457-a7fc-b977141dd304 Raw Audit Messages type=AVC msg=audit(1370710541.256:511): avc: denied { write } for pid=16683 comm="mongod" name="mongo" dev="dm-3" ino=4849666 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1370710541.256:511): arch=i386 syscall=open success=no exit=EACCES a0=ac5283c a1=8042 a2=1ff a3=0 items=0 ppid=16682 pid=16683 auid=4294967295 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) Hash: mongod,mongod_t,var_t,dir,write audit2allow #============= mongod_t ============== allow mongod_t var_t:dir write; audit2allow -R require { type mongod_t; } #============= mongod_t ============== files_write_var_dirs(mongod_t) Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.4-200.fc18.i686 type: libreport