Bug 952827 - SELinux policy prevents mongod to bind to ports 27018, 27019, 28017, 28018 and 28019
Summary: SELinux policy prevents mongod to bind to ports 27018, 27019, 28017, 28018 an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 926991
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-16 19:41 UTC by Daniel Walsh
Modified: 2013-11-21 10:22 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 926991
Environment:
Last Closed: 2013-11-21 10:22:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Daniel Walsh 2013-04-16 19:41:38 UTC
+++ This bug was initially created as a clone of Bug #926991 +++

Description of problem:
mongod (in package mongodb-server) uses port 27017 as its standard port. It also uses 28017 as it's standard http interface port. The current policy only include 27017 in mongod_port_t thus preventing mongod to bind to its default http interface port.

The lack of ports in mongod_port_t also prevents mongod to operate in it's two other roles as config server or shard server.


Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-85.fc18


How reproducible:
Every time.


Steps to Reproduce:
For http interface problem:
1. Make sure that nohttpinterface is not set to true in /etc/mongodb.conf

2. Start mongod; systemctl start mongod.service

For the ports 27018 and 27019:
1. Change port in /etc/mongodb.conf to 27018 or 27019 and make sure that nohttpinterface is not set to true.

2. Start mongod; systemctl start mongod.service

  
Actual results:
If mongod can't bind to the the http interface port, it still starts but without its http inteface. If mongod can't bind to 27018 or 27019 it does not start at all.


Expected results:
mongod should start normally and be able to bind to 27017 and 28017, 27018 and 28018 or 27019 and 28019.


Additional info:
Depending on what role mongod has, it uses one of three standard ports. 27017, 27018 or 27019. Also, if the http interface is enabled, mongod will bind to ports 28018, 28018 or 28019 respectively (standard port + 1000).

The six standard ports for mongod is documented here: http://docs.mongodb.org/manual/administration/security/#security-port-numbers.

Parts of this problem has been reported here: https://bugzilla.redhat.com/show_bug.cgi?id=752331 and here: https://bugzilla.redhat.com/show_bug.cgi?id=787173 but has not been resolved.

Please add ports 27018, 27019, 28017, 28018 and 28019 to mongod_port_t.

--- Additional comment from Miroslav Grepl on 2013-03-25 07:04:23 EDT ---

commit 094d3af949fb0040fb04c123131c85c2e772b68f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Mar 25 12:02:49 2013 +0100

    Add additional ports as mongod_port_t for  27018, 27019, 28017, 28018 and 28019 ports

--- Additional comment from Fedora Update System on 2013-04-15 07:10:08 EDT ---

selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

--- Additional comment from Fedora Update System on 2013-04-15 20:05:39 EDT ---

Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

--- Additional comment from Johan Hedin on 2013-04-16 14:56:38 EDT ---

selinux-policy-3.11.1-90.fc18 fixes the problem.

One question though; will this eventually propagate to RHEL 6 as well? The policy for mongod in RHEL 6 (or CentOS in my case) is quite similar to the one in Fedora but does not at this point enforce the ports.

So, will this change and will this addition to the policy be in there when it does?

Comment 7 errata-xmlrpc 2013-11-21 10:22:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.