Bug 972340 - SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory mongo.
Summary: SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory ...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 18
Hardware: i686 Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:7cfc72144459967cfe21c88d3ca...
Depends On:
TreeView+ depends on / blocked
Reported: 2013-06-08 17:05 UTC by stevdrey
Modified: 2013-08-15 18:58 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.11.1-100.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-15 02:53:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description stevdrey 2013-06-08 17:05:55 UTC
Description of problem:
I just try to start the deamon mongod
SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory mongo.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow mongod to have write access on the mongo directory
Then necesita modificar la etiqueta en mongo
# semanage fcontext -a -t FILE_TYPE 'mongo'
donde FILE_TYPE es uno de los siguientes: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_log_t, var_run_t. 
Luego ejecute: 
restorecon -v 'mongo'

*****  Plugin catchall (17.1 confidence) suggests  ***************************

If cree que de manera predeterminada, mongod debería permitir acceso write sobre  mongo directory.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
permita el acceso momentáneamente executando:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                mongo [ dir ]
Source                        mongod
Source Path                   /usr/bin/mongod
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mongo-10gen-server-2.4.4-mongodb_1.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.4-200.fc18.i686 #1 SMP Fri May
                              24 20:35:02 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-08 10:55:41 CST
Last Seen                     2013-06-08 10:55:41 CST
Local ID                      d419996f-219d-4457-a7fc-b977141dd304

Raw Audit Messages
type=AVC msg=audit(1370710541.256:511): avc:  denied  { write } for  pid=16683 comm="mongod" name="mongo" dev="dm-3" ino=4849666 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir

type=SYSCALL msg=audit(1370710541.256:511): arch=i386 syscall=open success=no exit=EACCES a0=ac5283c a1=8042 a2=1ff a3=0 items=0 ppid=16682 pid=16683 auid=4294967295 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: mongod,mongod_t,var_t,dir,write


#============= mongod_t ==============
allow mongod_t var_t:dir write;

audit2allow -R
require {
	type mongod_t;

#============= mongod_t ==============

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-200.fc18.i686
type:           libreport

Comment 1 Miroslav Grepl 2013-06-12 07:46:39 UTC
What does

# rpm -ql mongo-10gen-server-2.4.4-mongodb_1.i686

Also it does not come from Fedora, right?

Comment 2 Serge Matveenko 2013-07-02 20:51:39 UTC
I think it's time for you to talk to each other

Comment 3 Mark Adams 2013-07-16 14:43:55 UTC
The bug from 10gen is suggesting that this is a regression between Fedora 17 and 18. The same issue is affecting Fedora 19 as well. According to their JIRA issue: 

"In the SELinux policy in Fedora 17, /var/lib/mongo is labeled mongod_var_lib_t and the 10gen RPM:s should work as expected. In Fedora 18 (and RHEL/CentOS/SL 6 as well), the policy is lacking this label rule."

Comment 4 Mark Adams 2013-07-16 14:48:48 UTC
rpm -ql mongo-10gen-server.x86_64

The package comes from 10gen (the developer) using their repo at http://downloads-distro.mongodb.org/repo/redhat/os/x86_64 .

As you can see in comment 3, someone on 10gen's JIRA issue claims that this used to be part of the selinux-policy back in Fedora 17 but was removed.

Comment 5 Daniel Walsh 2013-07-16 17:20:19 UTC
Ok the mongodb that we ship has the following paths

rpm -q mongodb-server -l| grep /var

Which we label correctly.

936911269cb82447d62c3934ebb08265a9b8dc70 fixes this in git.

Comment 6 Miroslav Grepl 2013-07-17 10:02:39 UTC
Back ported.

Comment 7 Fedora Update System 2013-08-05 05:40:28 UTC
selinux-policy-3.11.1-99.fc18 has been submitted as an update for Fedora 18.

Comment 8 Fedora Update System 2013-08-06 00:14:03 UTC
Package selinux-policy-3.11.1-99.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-99.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 9 Serge Matveenko 2013-08-06 13:06:18 UTC
How to get this in Fedora 19?

Comment 10 Fedora Update System 2013-08-07 11:11:42 UTC
selinux-policy-3.11.1-100.fc18 has been submitted as an update for Fedora 18.

Comment 11 Daniel Walsh 2013-08-07 17:39:26 UTC
It should show up there also.

Comment 12 Fedora Update System 2013-08-15 02:53:34 UTC
selinux-policy-3.11.1-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Serge Matveenko 2013-08-15 07:58:19 UTC
Fedora 19 is affected also. How to get this fix on it?

Comment 14 Daniel Walsh 2013-08-15 18:58:33 UTC
Should be fixed in selinux-policy-3.12.1-70

Note You need to log in before you can comment on or make changes to this bug.