Additional info: libreport version: 2.0.13 kernel: 3.5.4-1.fc17.x86_64 description: :SELinux is preventing /usr/bin/mongod from 'open' accesses on the file /var/log/mongo/mongod.log. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that mongod should be allowed open access on the mongod.log file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep mongod /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:mongod_t:s0 :Target Context system_u:object_r:var_log_t:s0 :Target Objects /var/log/mongo/mongod.log [ file ] :Source mongod :Source Path /usr/bin/mongod :Port <Unknown> :Host (removed) :Source RPM Packages mongo-10gen-server-2.2.0-mongodb_1.x86_64 :Target RPM Packages mongo-10gen-server-2.2.0-mongodb_1.x86_64 :Policy RPM selinux-policy-3.10.0-149.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.5.4-1.fc17.x86_64 #1 SMP Mon Sep : 17 15:03:59 UTC 2012 x86_64 x86_64 :Alert Count 5 :First Seen 2012-09-22 20:07:51 CEST :Last Seen 2012-09-22 20:11:31 CEST :Local ID 2b94fa41-0d25-40cc-9b4e-786aaf3ded21 : :Raw Audit Messages :type=AVC msg=audit(1348337491.831:256): avc: denied { open } for pid=4004 comm="mongod" path="/var/log/mongo/mongod.log" dev="dm-1" ino=3411350 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file : : :type=SYSCALL msg=audit(1348337491.831:256): arch=x86_64 syscall=open success=no exit=EACCES a0=7f11b7f00998 a1=441 a2=1b6 a3=7fffe35d38e0 items=0 ppid=4003 pid=4004 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) : :Hash: mongod,mongod_t,var_log_t,file,open : :audit2allow : :#============= mongod_t ============== :#!!!! This avc is allowed in the current policy : :allow mongod_t var_log_t:file open; : :audit2allow -R : :#============= mongod_t ============== :#!!!! This avc is allowed in the current policy : :allow mongod_t var_log_t:file open; :
Created attachment 615894 [details] File: type
Created attachment 615895 [details] File: hashmarkername
It does not look like Fedora ships mongo-10gen-server-2.2.0-mongodb_1. What does # rpm -qf /var/log/mongo
Fedora doesn't ship with this version of MongoDB, it was installed from official 10gen MongoDB repository as described at http://docs.mongodb.org/manual/tutorial/install-mongodb-on-redhat-centos-or-fedora-linux/
Ok, and what is your output of # rpm -qf /var/log/mongo
# rpm -qf /var/log/mongo error: file /var/log/mongo: No such file or directory
Execute # chcon -t mongod_log_t /var/log/mongo/mongod.log which will fix it for now.
selinux-policy-3.10.0-150.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-150.fc17
Package selinux-policy-3.10.0-150.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-150.fc17' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14725/selinux-policy-3.10.0-150.fc17 then log in and leave karma (feedback).
I tested the update, but it unfortunately didn't help. The service is still not starting and I receive SELinux security alert with the possibility to report it as a bug. Do you need any more information?
And if you execute # restorecon -R -v /var/log/mongo/mongod.log
Still the same... but now it seems it has a problem with /var/lib/mongo, not /var/log/mongo/mongod.log anymore.
Ok, restorecon -R -v /var/log/mongo
I tried that, too. Still not working.
What does # matchpathcon /var/log/mongo # ls -dZ matchpathcon /var/log/mongo
# matchpathcon /var/log/mongo > /var/log/mongo system_u:object_r:mongod_log_t:s0 # ls -dZ matchpathcon /var/log/mongo > ls: cannot access matchpathcon: No such file or directory > drwxr-xr-x. mongod mongod system_u:object_r:mongod_log_t:s0 /var/log/mongo
But as I've already written earlier... the problem now seems to be with /var/lib/mongo, not /var/log/mongo.
Ah, you are right, I missed it.
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Package selinux-policy-3.10.0-153.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17 then log in and leave karma (feedback).
I've applied the update and now I'm getting: > SELinux is preventing /usr/bin/mongod from getattr access on the filesystem /.
Lukas, could you switch to permissive and collect all AVC msgs?
service mongod start Package: (null) Architecture: i686 OS Release: Fedora release 17 (Beefy Miracle)
How do I collect all the AVC msgs?
ausearch -m avc
Created attachment 643535 [details] ausearch -m avc output
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.