Created attachment 1123284 [details] sealert output. Description of problem: Mongod cannot start when configured to log to syslog. Version-Release number of selected component (if applicable): mongodb.x86_64 2.6.11-1.el7 mongodb-server.x86_64 2.6.11-1.el7 How reproducible: Always. Steps to Reproduce: 1. Install mongodb-server 2. Configure to use syslog loging. Edit /etc/mongod.conf and set the following: syslog = true syslogFacility = user #logpath = /var/log/mongodb/mongod.log 3. Start mongod # systemctl start mongod Actual results: Lots of denials. From /var/log/messages Feb 11 18:57:47 happy setroubleshoot: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 93b4d9c4-7003-4caa-b882-ac5b0d4ab85e Feb 11 18:57:47 happy python: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep mongod /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012 Expected results: Mongod writes out to syslog and no selinux denials. Maybe this should/does require an sebool? Additional info:
Moving to selinux-policy. This bug affect all versions of Fedora and also EPEL. SELinux info from F23: SELinux is preventing mongod from create access on the unix_dgram_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mongod /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mongod_t:s0 Target Context system_u:system_r:mongod_t:s0 Target Objects Unknown [ unix_dgram_socket ] Source mongod Source Path mongod Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.4.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.3.5-300.fc23.x86_64 #1 SMP Mon Feb 1 03:18:41 UTC 2016 x86_64 x86_64 Alert Count 18 First Seen 2016-02-12 11:55:02 CET Last Seen 2016-02-12 11:55:04 CET Local ID e337899f-d93d-4e16-87cc-946bb15094ca Raw Audit Messages type=AVC msg=audit(1455274504.344:4698): avc: denied { create } for pid=10112 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket permissive=0 Hash: mongod,mongod_t,mongod_t,unix_dgram_socket,create
commit ce02c3567f10a859cc74293009cdeca3e3e583ae Author: Lukas Vrabec <lvrabec> Date: Mon Feb 15 13:19:18 2016 +0100 Allow create mongodb unix dgram sockets. rhbz#1306819
selinux-policy-3.13.1-158.7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c
selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c
selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.