1599230 – Mongodb 4.0 avc denied - snmp and netstat

Bug 1599230 - Mongodb 4.0 avc denied - snmp and netstat

Summary: Mongodb 4.0 avc denied - snmp and netstat

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-09 09:21 UTC by Marek Skalický
Modified:	2019-07-23 13:57 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.2-34.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-12 02:56:35 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marek Skalický 2018-07-09 09:21:00 UTC

Description of problem:
MongoDB was rebased to latest upstream version last week in Rawhide. And I'm getting AVC denied errors.

----
time->Mon Jul  9 04:52:55 2018
type=AVC msg=audit(1531126375.000:703): avc:  denied  { read } for  pid=3005 comm="ftdc" name="snmp" dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Mon Jul  9 04:52:55 2018
type=AVC msg=audit(1531126375.000:702): avc:  denied  { read } for  pid=3005 comm="ftdc" name="netstat" dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----

Could you fix this please in SELinux policy package?


Version-Release number of selected component (if applicable):
selinux-policy-3.14.2-26.fc29.noarch
selinux-policy-targeted-3.14.2-26.fc29.noarch


How reproducible:
always in current Fedora Rawhide

Steps to Reproduce:
1. install mongodb-server rpm
2. systemctl start mongod

Actual results:
AVC denied messages

Expected results:
No SELinux fails

Comment 1 Milos Malik 2018-07-09 17:40:52 UTC

----
type=PROCTITLE msg=audit(07/09/2018 19:39:47.004:281) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:39:47.004:281) : item=0 name=/proc/net/snmp inode=4026532055 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:39:47.004:281) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:39:47.004:281) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f6b4631a510 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:39:47.004:281) : avc:  denied  { read } for  pid=2282 comm=ftdc name=snmp dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(07/09/2018 19:39:46.001:278) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:39:46.001:278) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:39:46.001:278) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:39:46.001:278) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55946894e920 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:39:46.001:278) : avc:  denied  { read } for  pid=2282 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 
----

Comment 2 Milos Malik 2018-07-09 17:42:16 UTC

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/09/2018 19:41:24.001:442) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:41:24.001:442) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:41:24.001:442) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:41:24.001:442) : arch=x86_64 syscall=openat success=yes exit=30 a0=0xffffff9c a1=0x55e50a034ca0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2991 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc:  denied  { open } for  pid=2991 comm=ftdc path=/proc/2991/net/netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc:  denied  { read } for  pid=2991 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 
----

Comment 3 Marek Skalický 2018-07-11 06:45:57 UTC

To note: MongoDB is expected to do this, because it collects diagnostic data - FTDC name.

Comment 4 Lukas Vrabec 2018-07-20 12:22:20 UTC

Milos, 

Thanks for testing it on Fedora :)

Comment 5 Jan Kurik 2018-08-14 11:17:09 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 6 Marek Skalický 2018-08-14 11:47:28 UTC

Would it be possible to backport this to F28? Should I create a new bug?

Comment 7 Lukas Vrabec 2018-08-23 11:06:28 UTC

lvrabec@lvrabec-workstation /tmp » audit2allow -i avc 


#============= mongod_t ==============

#!!!! This avc is allowed in the current policy
allow mongod_t proc_net_t:file { open read };
lvrabec@lvrabec-workstation /tmp » rpm -q selinux-policy
selinux-policy-3.14.1-40.fc28.noarch


Should be fixed in the latest selinux-policy rpm package.

Comment 8 Fedora Update System 2018-09-11 12:50:18 UTC

selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726

Comment 9 Fedora Update System 2018-09-12 02:56:35 UTC

selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.