Bug 972340 - SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory mongo.
SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:7cfc72144459967cfe21c88d3ca...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-08 13:05 EDT by stevdrey
Modified: 2013-08-15 14:58 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-100.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-14 22:53:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description stevdrey 2013-06-08 13:05:55 EDT
Description of problem:
I just try to start the deamon mongod
SELinux is preventing /usr/bin/mongod from 'write' accesses on the directory mongo.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow mongod to have write access on the mongo directory
Then necesita modificar la etiqueta en mongo
Do
# semanage fcontext -a -t FILE_TYPE 'mongo'
donde FILE_TYPE es uno de los siguientes: mongod_log_t, mongod_tmp_t, mongod_var_lib_t, mongod_var_run_t, tmp_t, var_log_t, var_run_t. 
Luego ejecute: 
restorecon -v 'mongo'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If cree que de manera predeterminada, mongod debería permitir acceso write sobre  mongo directory.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                mongo [ dir ]
Source                        mongod
Source Path                   /usr/bin/mongod
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mongo-10gen-server-2.4.4-mongodb_1.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.4-200.fc18.i686 #1 SMP Fri May
                              24 20:35:02 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-08 10:55:41 CST
Last Seen                     2013-06-08 10:55:41 CST
Local ID                      d419996f-219d-4457-a7fc-b977141dd304

Raw Audit Messages
type=AVC msg=audit(1370710541.256:511): avc:  denied  { write } for  pid=16683 comm="mongod" name="mongo" dev="dm-3" ino=4849666 scontext=system_u:system_r:mongod_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir


type=SYSCALL msg=audit(1370710541.256:511): arch=i386 syscall=open success=no exit=EACCES a0=ac5283c a1=8042 a2=1ff a3=0 items=0 ppid=16682 pid=16683 auid=4294967295 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: mongod,mongod_t,var_t,dir,write

audit2allow

#============= mongod_t ==============
allow mongod_t var_t:dir write;

audit2allow -R
require {
	type mongod_t;
}

#============= mongod_t ==============
files_write_var_dirs(mongod_t)


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-200.fc18.i686
type:           libreport
Comment 1 Miroslav Grepl 2013-06-12 03:46:39 EDT
What does

# rpm -ql mongo-10gen-server-2.4.4-mongodb_1.i686



Also it does not come from Fedora, right?
Comment 2 Serge Matveenko 2013-07-02 16:51:39 EDT
I think it's time for you to talk to each other
https://jira.mongodb.org/browse/SERVER-8881
Comment 3 Mark Adams 2013-07-16 10:43:55 EDT
The bug from 10gen is suggesting that this is a regression between Fedora 17 and 18. The same issue is affecting Fedora 19 as well. According to their JIRA issue: 

"In the SELinux policy in Fedora 17, /var/lib/mongo is labeled mongod_var_lib_t and the 10gen RPM:s should work as expected. In Fedora 18 (and RHEL/CentOS/SL 6 as well), the policy is lacking this label rule."
Comment 4 Mark Adams 2013-07-16 10:48:48 EDT
rpm -ql mongo-10gen-server.x86_64
/etc/mongod.conf
/etc/rc.d/init.d/mongod
/etc/sysconfig/mongod
/usr/bin/mongod
/usr/bin/mongos
/usr/share/man/man1/mongod.1
/usr/share/man/man1/mongos.1
/var/lib/mongo
/var/log/mongo
/var/log/mongo/mongod.log

The package comes from 10gen (the developer) using their repo at http://downloads-distro.mongodb.org/repo/redhat/os/x86_64 .

As you can see in comment 3, someone on 10gen's JIRA issue claims that this used to be part of the selinux-policy back in Fedora 17 but was removed.
Comment 5 Daniel Walsh 2013-07-16 13:20:19 EDT
Ok the mongodb that we ship has the following paths


rpm -q mongodb-server -l| grep /var
/var/lib/mongodb
/var/log/mongodb
/var/run/mongodb


Which we label correctly.

936911269cb82447d62c3934ebb08265a9b8dc70 fixes this in git.
Comment 6 Miroslav Grepl 2013-07-17 06:02:39 EDT
Back ported.
Comment 7 Fedora Update System 2013-08-05 01:40:28 EDT
selinux-policy-3.11.1-99.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-99.fc18
Comment 8 Fedora Update System 2013-08-05 20:14:03 EDT
Package selinux-policy-3.11.1-99.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-99.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14256/selinux-policy-3.11.1-99.fc18
then log in and leave karma (feedback).
Comment 9 Serge Matveenko 2013-08-06 09:06:18 EDT
How to get this in Fedora 19?
Comment 10 Fedora Update System 2013-08-07 07:11:42 EDT
selinux-policy-3.11.1-100.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-100.fc18
Comment 11 Daniel Walsh 2013-08-07 13:39:26 EDT
It should show up there also.
Comment 12 Fedora Update System 2013-08-14 22:53:34 EDT
selinux-policy-3.11.1-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Serge Matveenko 2013-08-15 03:58:19 EDT
Fedora 19 is affected also. How to get this fix on it?
Comment 14 Daniel Walsh 2013-08-15 14:58:33 EDT
Should be fixed in selinux-policy-3.12.1-70

Note You need to log in before you can comment on or make changes to this bug.