Hide Forgot
Description of problem: mongod (in package mongodb-server) uses port 27017 as its standard port. It also uses 28017 as it's standard http interface port. The current policy only include 27017 in mongod_port_t thus preventing mongod to bind to its default http interface port. The lack of ports in mongod_port_t also prevents mongod to operate in it's two other roles as config server or shard server. Version-Release number of selected component (if applicable): selinux-policy-3.11.1-85.fc18 How reproducible: Every time. Steps to Reproduce: For http interface problem: 1. Make sure that nohttpinterface is not set to true in /etc/mongodb.conf 2. Start mongod; systemctl start mongod.service For the ports 27018 and 27019: 1. Change port in /etc/mongodb.conf to 27018 or 27019 and make sure that nohttpinterface is not set to true. 2. Start mongod; systemctl start mongod.service Actual results: If mongod can't bind to the the http interface port, it still starts but without its http inteface. If mongod can't bind to 27018 or 27019 it does not start at all. Expected results: mongod should start normally and be able to bind to 27017 and 28017, 27018 and 28018 or 27019 and 28019. Additional info: Depending on what role mongod has, it uses one of three standard ports. 27017, 27018 or 27019. Also, if the http interface is enabled, mongod will bind to ports 28018, 28018 or 28019 respectively (standard port + 1000). The six standard ports for mongod is documented here: http://docs.mongodb.org/manual/administration/security/#security-port-numbers. Parts of this problem has been reported here: https://bugzilla.redhat.com/show_bug.cgi?id=752331 and here: https://bugzilla.redhat.com/show_bug.cgi?id=787173 but has not been resolved. Please add ports 27018, 27019, 28017, 28018 and 28019 to mongod_port_t.
commit 094d3af949fb0040fb04c123131c85c2e772b68f Author: Miroslav Grepl <mgrepl@redhat.com> Date: Mon Mar 25 12:02:49 2013 +0100 Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18
Package selinux-policy-3.11.1-90.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-90.fc18 fixes the problem. One question though; will this eventually propagate to RHEL 6 as well? The policy for mongod in RHEL 6 (or CentOS in my case) is quite similar to the one in Fedora but does not at this point enforce the ports. So, will this change and will this addition to the policy be in there when it does?
https://bugzilla.redhat.com/show_bug.cgi?id=952827
Great, thanks Dan!
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.