RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1204024 - Missing policy for mongodb
Summary: Missing policy for mongodb
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1174740
Blocks: 1208765 1212970
TreeView+ depends on / blocked
 
Reported: 2015-03-20 07:47 UTC by Marek Skalický
Modified: 2015-11-19 10:27 UTC (History)
21 users (show)

Fixed In Version: selinux-policy-3.13.1-24.el7
Doc Type: Bug Fix
Doc Text:
Prior to this update, when using SELinux in Enforcing mode, certain commands in the mongo shell failed due to an incomplete MongoDB policy. This update adjusts the MongoDB policy to address this problem, and the impacted commands now work in the mongo shell as expected.
Clone Of: 1174740
: 1212970 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:27:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Marek Skalický 2015-03-20 07:47:25 UTC 
+++ This bug was initially created as a clone of Bug #1174740 +++

Description of problem:
Selinux does not allow to execute some command in mongo shell.

mongoDB should have allowed execmem:
allow mongod_t self:process { execmem }; fixs it...

Version-Release number of selected component (if applicable):
Packages mongodb and mongodb-server from version 2.6. Now it is in Rawhide and EPEL 7.
(for mongodb 2.4 it is working correctly)

How reproducible:

Steps to Reproduce:
1. run mongo shell and enter these commands
2. 
> t = db.jstests_and
> t.drop()
> t.save( {a:[1,2]} )
> t.count( {a:'foo',$where:'this.a=="foo"'} )

Actual results:
2014-12-16T12:53:17.034+0100 DBClientCursor::init call() failed
2014-12-16T12:53:17.035+0100 Error: error doing query: failed at src/mongo/shell/query.js:81
2014-12-16T12:53:17.038+0100 trying reconnect to 127.0.0.1:27017 (127.0.0.1) failed
2014-12-16T12:53:17.074+0100 warning: Failed to connect to 127.0.0.1:27017, reason: errno:111 Connection refused
2014-12-16T12:53:17.074+0100 reconnect 127.0.0.1:27017 (127.0.0.1) failed failed couldn't connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed

Expected results:
t.count( {a:'foo',$where:'this.a=="foo"'} ) should return 0


Additional info:
SELinux log:

SELinux is preventing mongod from using the execmem access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed execmem access on processes labeled mongod_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:system_r:mongod_t:s0
Target Objects                Unknown [ process ]
Source                        mongod
Source Path                   mongod
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-100.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.18.0-1.fc22.x86_64
                              #1 SMP Tue Dec 9 14:49:38 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-12-16 11:10:55 CET
Last Seen                     2014-12-16 11:40:02 CET
Local ID                      526830df-89d6-4524-8ee7-d9cb5bbe2e1e

Raw Audit Messages
type=AVC msg=audit(1418726402.258:697): avc:  denied  { execmem } for  pid=17279 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=process permissive=0


Hash: mongod,mongod_t,mongod_t,process,execmem

--- Additional comment from Milos Malik on 2014-12-16 08:26:55 EST ---

This might be a compiler issue.

--- Additional comment from Milos Malik on 2014-12-16 08:28:14 EST ---

http://www.akkadia.org/drepper/selinux-mem.html

--- Additional comment from Marek Skalický on 2015-01-05 10:05:41 EST ---

mongod requires execmem because it uses V8 JS engine - https://groups.google.com/forum/#!topic/mongodb-dev/4Gwi7yc1SvY (disabling scripting will result in greatly limited functionality).

How other applications using v8 solve this problem?

--- Additional comment from Honza Horak on 2015-01-13 10:14:45 EST ---

I believe there could be some SELinux boolean for allowing mongodb to execmem access, similar to variables httpd_execmem, cups_execmem, etc.

--- Additional comment from Jaroslav Reznik on 2015-03-03 11:37:31 EST ---

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 1 Honza Horak 2015-03-20 08:01:35 UTC 
Since we encounter this issue in rh-mongodb26-mongodb in RHSCL-2.0, we need to handle it somehow there *very soon*, but I'm not sure if this fix gets into selinux-policy soon enough. Mirku, is there any work-around we can use in mongodb deamon right now? Or is there any way user can allow it himself?

I'm not sure if this is the right way to work-around it:

   #> cat local.te 

   module local 1.0;

   require {
	   type mongod_t;
	   class process execmem;
   }

   #============= mongod_t ==============
   allow mongod_t self:process execmem;

   #> checkmodule -M -m -o local.mod local.te
   #> semodule_package -o local.pp -m local.mod
   #> semodule -i local.pp


And if we can advice something like that until it get fixed in selinux-policy.
Comment 2 Honza Horak 2015-04-03 08:52:33 UTC 
Just FTR there is not problem in RHEL-6, because RHEL-6 policy allows it by default. No need to enable any booleans.

# rpm -qa selinux-policy\*
selinux-policy-3.7.19-262.el6.noarch
selinux-policy-targeted-3.7.19-262.el6.noarch
selinux-policy-mls-3.7.19-262.el6.noarch
selinux-policy-doc-3.7.19-262.el6.noarch
selinux-policy-minimum-3.7.19-262.el6.noarch
# sesearch -s mongod_t -t mongod_t -c process -A -C -p execmem
Found 3 semantic av rules:
   allow mongod_t mongod_t : process { fork transition sigchld signal getsched setsched execmem } ; 
ET allow mongod_t mongod_t : process execmem ; [ allow_execmem ]
ET allow mongod_t mongod_t : process { execmem execstack } ; [ allow_execstack ]
Comment 7 errata-xmlrpc 2015-11-19 10:27:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html
Note You need to log in before you can comment on or make changes to this bug.