Bug 859646 - SELinux is preventing /usr/bin/mongod from 'open' accesses on the file /var/log/mongo/mongod.log.
SELinux is preventing /usr/bin/mongod from 'open' accesses on the file /var/l...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:84a794fd8d21aed96cac7cfe36b...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-22 14:27 EDT by Lukas Sembera
Modified: 2013-08-01 13:49 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 13:48:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-09-22 14:27 EDT, Lukas Sembera
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-09-22 14:27 EDT, Lukas Sembera
no flags Details
ausearch -m avc output (153.62 KB, text/plain)
2012-11-12 08:32 EST, Lukas Sembera
no flags Details

  None (edit)
Description Lukas Sembera 2012-09-22 14:27:11 EDT
Additional info:
libreport version: 2.0.13
kernel:         3.5.4-1.fc17.x86_64

description:
:SELinux is preventing /usr/bin/mongod from 'open' accesses on the file /var/log/mongo/mongod.log.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that mongod should be allowed open access on the mongod.log file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:mongod_t:s0
:Target Context                system_u:object_r:var_log_t:s0
:Target Objects                /var/log/mongo/mongod.log [ file ]
:Source                        mongod
:Source Path                   /usr/bin/mongod
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           mongo-10gen-server-2.2.0-mongodb_1.x86_64
:Target RPM Packages           mongo-10gen-server-2.2.0-mongodb_1.x86_64
:Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep
:                              17 15:03:59 UTC 2012 x86_64 x86_64
:Alert Count                   5
:First Seen                    2012-09-22 20:07:51 CEST
:Last Seen                     2012-09-22 20:11:31 CEST
:Local ID                      2b94fa41-0d25-40cc-9b4e-786aaf3ded21
:
:Raw Audit Messages
:type=AVC msg=audit(1348337491.831:256): avc:  denied  { open } for  pid=4004 comm="mongod" path="/var/log/mongo/mongod.log" dev="dm-1" ino=3411350 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1348337491.831:256): arch=x86_64 syscall=open success=no exit=EACCES a0=7f11b7f00998 a1=441 a2=1b6 a3=7fffe35d38e0 items=0 ppid=4003 pid=4004 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)
:
:Hash: mongod,mongod_t,var_log_t,file,open
:
:audit2allow
:
:#============= mongod_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow mongod_t var_log_t:file open;
:
:audit2allow -R
:
:#============= mongod_t ==============
:#!!!! This avc is allowed in the current policy
:
:allow mongod_t var_log_t:file open;
:
Comment 1 Lukas Sembera 2012-09-22 14:27:15 EDT
Created attachment 615894 [details]
File: type
Comment 2 Lukas Sembera 2012-09-22 14:27:17 EDT
Created attachment 615895 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-09-24 06:51:57 EDT
It does not look like Fedora ships mongo-10gen-server-2.2.0-mongodb_1.

What does

# rpm -qf /var/log/mongo
Comment 4 Lukas Sembera 2012-09-24 07:32:32 EDT
Fedora doesn't ship with this version of MongoDB, it was installed from official 10gen MongoDB repository as described at http://docs.mongodb.org/manual/tutorial/install-mongodb-on-redhat-centos-or-fedora-linux/
Comment 5 Miroslav Grepl 2012-09-24 07:43:34 EDT
Ok, and what is your output of

# rpm -qf /var/log/mongo
Comment 6 Lukas Sembera 2012-09-24 07:53:08 EDT
# rpm -qf /var/log/mongo
  error: file /var/log/mongo: No such file or directory
Comment 7 Miroslav Grepl 2012-09-24 09:05:04 EDT
Execute

# chcon -t mongod_log_t /var/log/mongo/mongod.log

which will fix it for now.
Comment 8 Fedora Update System 2012-09-24 15:00:28 EDT
selinux-policy-3.10.0-150.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-150.fc17
Comment 9 Fedora Update System 2012-09-25 00:29:45 EDT
Package selinux-policy-3.10.0-150.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-150.fc17'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14725/selinux-policy-3.10.0-150.fc17
then log in and leave karma (feedback).
Comment 10 Lukas Sembera 2012-09-25 07:33:42 EDT
I tested the update, but it unfortunately didn't help. The service is still not starting and I receive SELinux security alert with the possibility to report it as a bug. Do you need any more information?
Comment 11 Miroslav Grepl 2012-09-25 08:13:51 EDT
And if you execute

# restorecon -R -v /var/log/mongo/mongod.log
Comment 12 Lukas Sembera 2012-09-25 08:23:14 EDT
Still the same... but now it seems it has a problem with /var/lib/mongo, not /var/log/mongo/mongod.log anymore.
Comment 13 Miroslav Grepl 2012-09-27 12:59:30 EDT
Ok, 

restorecon -R -v /var/log/mongo
Comment 14 Lukas Sembera 2012-09-27 14:05:30 EDT
I tried that, too. Still not working.
Comment 15 Miroslav Grepl 2012-10-02 06:00:01 EDT
What does

# matchpathcon /var/log/mongo

# ls -dZ matchpathcon /var/log/mongo
Comment 16 Lukas Sembera 2012-10-02 06:05:17 EDT
# matchpathcon /var/log/mongo
> /var/log/mongo	system_u:object_r:mongod_log_t:s0

# ls -dZ matchpathcon /var/log/mongo
> ls: cannot access matchpathcon: No such file or directory
> drwxr-xr-x. mongod mongod system_u:object_r:mongod_log_t:s0 /var/log/mongo
Comment 17 Lukas Sembera 2012-10-02 06:06:31 EDT
But as I've already written earlier... the problem now seems to be with /var/lib/mongo, not /var/log/mongo.
Comment 18 Miroslav Grepl 2012-10-05 08:02:03 EDT
Ah, you are right, I missed it.
Comment 19 Fedora Update System 2012-10-08 10:05:41 EDT
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Comment 20 Fedora Update System 2012-10-08 17:56:46 EDT
Package selinux-policy-3.10.0-153.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17
then log in and leave karma (feedback).
Comment 21 Lukas Sembera 2012-10-09 03:39:14 EDT
I've applied the update and now I'm getting:

> SELinux is preventing /usr/bin/mongod from getattr access on the filesystem /.
Comment 22 Miroslav Grepl 2012-10-09 03:51:47 EDT
Lukas,
could you switch to permissive and collect all AVC msgs?
Comment 23 Chandrakant Kumar 2012-10-12 05:29:11 EDT
service mongod start

Package: (null)
Architecture: i686
OS Release: Fedora release 17 (Beefy Miracle)
Comment 24 Lukas Sembera 2012-10-18 07:02:14 EDT
How do I collect all the AVC msgs?
Comment 25 Miroslav Grepl 2012-10-22 05:10:10 EDT
ausearch -m avc
Comment 26 Lukas Sembera 2012-11-12 08:32:13 EST
Created attachment 643535 [details]
ausearch -m avc output
Comment 27 Fedora End Of Life 2013-07-04 02:17:46 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 28 Fedora End Of Life 2013-08-01 13:49:05 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.