Description of problem: MongoDB was rebased to latest upstream version last week in Rawhide. And I'm getting AVC denied errors. ---- time->Mon Jul 9 04:52:55 2018 type=AVC msg=audit(1531126375.000:703): avc: denied { read } for pid=3005 comm="ftdc" name="snmp" dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 ---- time->Mon Jul 9 04:52:55 2018 type=AVC msg=audit(1531126375.000:702): avc: denied { read } for pid=3005 comm="ftdc" name="netstat" dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 ---- Could you fix this please in SELinux policy package? Version-Release number of selected component (if applicable): selinux-policy-3.14.2-26.fc29.noarch selinux-policy-targeted-3.14.2-26.fc29.noarch How reproducible: always in current Fedora Rawhide Steps to Reproduce: 1. install mongodb-server rpm 2. systemctl start mongod Actual results: AVC denied messages Expected results: No SELinux fails
---- type=PROCTITLE msg=audit(07/09/2018 19:39:47.004:281) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run type=PATH msg=audit(07/09/2018 19:39:47.004:281) : item=0 name=/proc/net/snmp inode=4026532055 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/09/2018 19:39:47.004:281) : cwd=/ type=SYSCALL msg=audit(07/09/2018 19:39:47.004:281) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f6b4631a510 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(07/09/2018 19:39:47.004:281) : avc: denied { read } for pid=2282 comm=ftdc name=snmp dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(07/09/2018 19:39:46.001:278) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run type=PATH msg=audit(07/09/2018 19:39:46.001:278) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/09/2018 19:39:46.001:278) : cwd=/ type=SYSCALL msg=audit(07/09/2018 19:39:46.001:278) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55946894e920 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(07/09/2018 19:39:46.001:278) : avc: denied { read } for pid=2282 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 ----
Following SELinux denials appeared in permissive mode: ---- type=PROCTITLE msg=audit(07/09/2018 19:41:24.001:442) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run type=PATH msg=audit(07/09/2018 19:41:24.001:442) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/09/2018 19:41:24.001:442) : cwd=/ type=SYSCALL msg=audit(07/09/2018 19:41:24.001:442) : arch=x86_64 syscall=openat success=yes exit=30 a0=0xffffff9c a1=0x55e50a034ca0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2991 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc: denied { open } for pid=2991 comm=ftdc path=/proc/2991/net/netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc: denied { read } for pid=2991 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 ----
To note: MongoDB is expected to do this, because it collects diagnostic data - FTDC name.
Milos, Thanks for testing it on Fedora :)
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
Would it be possible to backport this to F28? Should I create a new bug?
lvrabec@lvrabec-workstation /tmp » audit2allow -i avc #============= mongod_t ============== #!!!! This avc is allowed in the current policy allow mongod_t proc_net_t:file { open read }; lvrabec@lvrabec-workstation /tmp » rpm -q selinux-policy selinux-policy-3.14.1-40.fc28.noarch Should be fixed in the latest selinux-policy rpm package.
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.