Bug 752331 - SELinux is preventing mongod from name_bind access on the tcp_socket port 28017
Summary: SELinux is preventing mongod from name_bind access on the tcp_socket port 28017
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mongodb
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nathaniel McCallum
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 787173 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-09 07:57 UTC by Mads Villadsen
Modified: 2012-02-14 09:11 UTC (History)
3 users (show)

Fixed In Version: mongodb-2.0.2-8.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-14 09:01:01 UTC


Attachments (Terms of Use)

Description Mads Villadsen 2011-11-09 07:57:02 UTC
Description of problem:
When starting the mongod service I get an selinux error.

Version-Release number of selected component (if applicable):
mongodb-1.8.2-9.fc16.x86_64
mongodb-server-1.8.2-9.fc16.x86_64
libmongodb-1.8.2-9.fc16.x86_64


Additional info:
Output from sealert:

SELinux is preventing mongod from name_bind access on the tcp_socket port 28017.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mongod should be allowed name_bind access on the port 28017 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 28017 [ tcp_socket ]
Source                        mongod
Source Path                   mongod
Port                          28017
Host                          siamese
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-46.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     siamese
Platform                      Linux siamese 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1
                              21:10:48 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 09 Nov 2011 08:53:17 AM CET
Last Seen                     Wed 09 Nov 2011 08:53:17 AM CET
Local ID                      9ec9a387-9365-4252-90e8-f3a1c6923f52

Raw Audit Messages
type=AVC msg=audit(1320825197.842:374): avc:  denied  { name_bind } for  pid=17037 comm="mongod" src=28017 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


Hash: mongod,mongod_t,unreserved_port_t,tcp_socket,name_bind

audit2allow

#============= mongod_t ==============
allow mongod_t unreserved_port_t:tcp_socket name_bind;

audit2allow -R

#============= mongod_t ==============
allow mongod_t unreserved_port_t:tcp_socket name_bind;

Comment 1 Chris Lalancette 2011-11-29 04:32:46 UTC
Oh, very interesting.  I'm seeing this problem here as well, but I see why it doesn't affect anything.

When I start up mongod, I get an AVC that looks like:

type=AVC msg=audit(1322540873.004:69): avc:  denied  { name_bind } for  pid=993 comm="mongod" src=28017 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Notice that it says pid=993.  However, my currently running mongod process seems to be PID 986.  What that seems to say to me is that mongod is forking some helper process during bootup, leaking a file descriptor, and that is being reported as an AVC.  It is probably mostly harmless, but it is indeed a bug.  I'll see if I can find some time to track down the file descriptor leak.

Thanks for the report.

Comment 2 Fedora Admin XMLRPC Client 2012-02-03 18:49:41 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Fedora Update System 2012-02-03 19:30:36 UTC
mongodb-2.0.2-8.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mongodb-2.0.2-8.fc15

Comment 4 Fedora Update System 2012-02-03 19:31:01 UTC
mongodb-2.0.2-8.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/mongodb-2.0.2-8.fc16

Comment 5 Nathaniel McCallum 2012-02-03 21:35:16 UTC
*** Bug 787173 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2012-02-04 05:31:44 UTC
Package mongodb-2.0.2-8.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mongodb-2.0.2-8.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1293/mongodb-2.0.2-8.fc16
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-02-14 09:01:01 UTC
mongodb-2.0.2-8.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2012-02-14 09:11:09 UTC
mongodb-2.0.2-8.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.