Bug 926991 - SELinux policy prevents mongod to bind to ports 27018, 27019, 28017, 28018 and 28019
Summary: SELinux policy prevents mongod to bind to ports 27018, 27019, 28017, 28018 an...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 952827
TreeView+ depends on / blocked
Reported: 2013-03-24 16:45 UTC by Johan Hedin
Modified: 2013-04-18 02:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 952827 (view as bug list)
Last Closed: 2013-04-18 02:49:38 UTC

Attachments (Terms of Use)

Description Johan Hedin 2013-03-24 16:45:55 UTC
Description of problem:
mongod (in package mongodb-server) uses port 27017 as its standard port. It also uses 28017 as it's standard http interface port. The current policy only include 27017 in mongod_port_t thus preventing mongod to bind to its default http interface port.

The lack of ports in mongod_port_t also prevents mongod to operate in it's two other roles as config server or shard server.

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
For http interface problem:
1. Make sure that nohttpinterface is not set to true in /etc/mongodb.conf

2. Start mongod; systemctl start mongod.service

For the ports 27018 and 27019:
1. Change port in /etc/mongodb.conf to 27018 or 27019 and make sure that nohttpinterface is not set to true.

2. Start mongod; systemctl start mongod.service

Actual results:
If mongod can't bind to the the http interface port, it still starts but without its http inteface. If mongod can't bind to 27018 or 27019 it does not start at all.

Expected results:
mongod should start normally and be able to bind to 27017 and 28017, 27018 and 28018 or 27019 and 28019.

Additional info:
Depending on what role mongod has, it uses one of three standard ports. 27017, 27018 or 27019. Also, if the http interface is enabled, mongod will bind to ports 28018, 28018 or 28019 respectively (standard port + 1000).

The six standard ports for mongod is documented here: http://docs.mongodb.org/manual/administration/security/#security-port-numbers.

Parts of this problem has been reported here: https://bugzilla.redhat.com/show_bug.cgi?id=752331 and here: https://bugzilla.redhat.com/show_bug.cgi?id=787173 but has not been resolved.

Please add ports 27018, 27019, 28017, 28018 and 28019 to mongod_port_t.

Comment 1 Miroslav Grepl 2013-03-25 11:04:23 UTC
commit 094d3af949fb0040fb04c123131c85c2e772b68f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Mar 25 12:02:49 2013 +0100

    Add additional ports as mongod_port_t for  27018, 27019, 28017, 28018 and 28019 ports

Comment 2 Fedora Update System 2013-04-15 11:10:08 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.

Comment 3 Fedora Update System 2013-04-16 00:05:39 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 4 Johan Hedin 2013-04-16 18:56:38 UTC
selinux-policy-3.11.1-90.fc18 fixes the problem.

One question though; will this eventually propagate to RHEL 6 as well? The policy for mongod in RHEL 6 (or CentOS in my case) is quite similar to the one in Fedora but does not at this point enforce the ports.

So, will this change and will this addition to the policy be in there when it does?

Comment 5 Daniel Walsh 2013-04-16 19:42:15 UTC

Comment 6 Johan Hedin 2013-04-17 18:40:38 UTC
Great, thanks Dan!

Comment 7 Fedora Update System 2013-04-18 02:49:40 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.