Description of problem: Selinux does not allow to execute some command in mongo shell. mongoDB should have allowed execmem: allow mongod_t self:process { execmem }; fixs it... Version-Release number of selected component (if applicable): Packages mongodb and mongodb-server from version 2.6. Now it is in Rawhide and EPEL 7. (for mongodb 2.4 it is working correctly) How reproducible: Steps to Reproduce: 1. run mongo shell and enter these commands 2. > t = db.jstests_and > t.drop() > t.save( {a:[1,2]} ) > t.count( {a:'foo',$where:'this.a=="foo"'} ) Actual results: 2014-12-16T12:53:17.034+0100 DBClientCursor::init call() failed 2014-12-16T12:53:17.035+0100 Error: error doing query: failed at src/mongo/shell/query.js:81 2014-12-16T12:53:17.038+0100 trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed 2014-12-16T12:53:17.074+0100 warning: Failed to connect to 127.0.0.1:27017, reason: errno:111 Connection refused 2014-12-16T12:53:17.074+0100 reconnect 127.0.0.1:27017 (127.0.0.1) failed failed couldn't connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed Expected results: t.count( {a:'foo',$where:'this.a=="foo"'} ) should return 0 Additional info: SELinux log: SELinux is preventing mongod from using the execmem access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mongod should be allowed execmem access on processes labeled mongod_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mongod /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context system_u:system_r:mongod_t:s0 Target Objects Unknown [ process ] Source mongod Source Path mongod Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-100.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.18.0-1.fc22.x86_64 #1 SMP Tue Dec 9 14:49:38 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-12-16 11:10:55 CET Last Seen 2014-12-16 11:40:02 CET Local ID 526830df-89d6-4524-8ee7-d9cb5bbe2e1e Raw Audit Messages type=AVC msg=audit(1418726402.258:697): avc: denied { execmem } for pid=17279 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process permissive=0 Hash: mongod,mongod_t,mongod_t,process,execmem
This might be a compiler issue.
http://www.akkadia.org/drepper/selinux-mem.html
mongod requires execmem because it uses V8 JS engine - https://groups.google.com/forum/#!topic/mongodb-dev/4Gwi7yc1SvY (disabling scripting will result in greatly limited functionality). How other applications using v8 solve this problem?
I believe there could be some SELinux boolean for allowing mongodb to execmem access, similar to variables httpd_execmem, cups_execmem, etc.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
#============= mongod_t ============== #!!!! This avc is allowed in the current policy allow mongod_t self:process execmem; [root@localhost ~]# rpm -q selinux-policy selinux-policy-3.13.1-119.fc23.noarch Fixed also in F22