Bug 1306819 - SELinux Prevents Mongodb from writing to syslog
SELinux Prevents Mongodb from writing to syslog
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1306995
  Show dependency treegraph
 
Reported: 2016-02-11 14:07 EST by Seth Kress
Modified: 2016-02-26 14:24 EST (History)
14 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.7.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1306995 (view as bug list)
Environment:
Last Closed: 2016-02-26 14:24:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sealert output. (2.15 KB, text/plain)
2016-02-11 14:07 EST, Seth Kress
no flags Details

  None (edit)
Description Seth Kress 2016-02-11 14:07:04 EST
Created attachment 1123284 [details]
sealert output.

Description of problem:
Mongod cannot start when configured to log to syslog.

Version-Release number of selected component (if applicable):
mongodb.x86_64         2.6.11-1.el7
mongodb-server.x86_64  2.6.11-1.el7                                 

How reproducible:
Always.

Steps to Reproduce:
1. Install mongodb-server

2. Configure to use syslog loging. Edit /etc/mongod.conf and set the following:

syslog = true
syslogFacility = user
#logpath = /var/log/mongodb/mongod.log


3. Start mongod

# systemctl start mongod



Actual results:

Lots of denials.

From /var/log/messages

Feb 11 18:57:47 happy setroubleshoot: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 93b4d9c4-7003-4caa-b882-ac5b0d4ab85e

Feb 11 18:57:47 happy python: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep mongod /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012




Expected results:

Mongod writes out to syslog and no selinux denials. Maybe this should/does require an sebool?

Additional info:
Comment 1 Marek Skalický 2016-02-12 06:11:30 EST
Moving to selinux-policy.

This bug affect all versions of Fedora and also EPEL.


SELinux info from F23:

SELinux is preventing mongod from create access on the unix_dgram_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:system_r:mongod_t:s0
Target Objects                Unknown [ unix_dgram_socket ]
Source                        mongod
Source Path                   mongod
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.4.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.3.5-300.fc23.x86_64
                              #1 SMP Mon Feb 1 03:18:41 UTC 2016 x86_64 x86_64
Alert Count                   18
First Seen                    2016-02-12 11:55:02 CET
Last Seen                     2016-02-12 11:55:04 CET
Local ID                      e337899f-d93d-4e16-87cc-946bb15094ca

Raw Audit Messages
type=AVC msg=audit(1455274504.344:4698): avc:  denied  { create } for  pid=10112 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket permissive=0


Hash: mongod,mongod_t,mongod_t,unix_dgram_socket,create
Comment 2 Lukas Vrabec 2016-02-15 07:20:56 EST
commit ce02c3567f10a859cc74293009cdeca3e3e583ae
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Feb 15 13:19:18 2016 +0100

    Allow create mongodb unix dgram sockets. rhbz#1306819
Comment 3 Fedora Update System 2016-02-17 08:47:32 EST
selinux-policy-3.13.1-158.7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c
Comment 4 Fedora Update System 2016-02-17 17:31:08 EST
selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c
Comment 5 Fedora Update System 2016-02-26 14:23:53 EST
selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.