View Issue Details

IDProjectCategoryView StatusLast Update
0015135CentOS-7selinux-policypublic2018-09-13 10:11
Reporterccansb00 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0015135: SELinux is preventing /usr/bin/mongod from 'open' accesses on the archivo /proc/<pid>/net/snmp.
DescriptionDescription of problem:
SELinux is preventing /usr/bin/mongod from 'open' accesses on the archivo /proc/<pid>/net/snmp.

***** Plugin catchall (100. confidence) suggests **************************

Si cree que de manera predeterminada se debería permitir a mongod el acceso open sobre snmp file.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso temporalmente ejecutando:
# ausearch -c 'ftdc' --raw | audit2allow -M mi-ftdc
# semodule -i mi-ftdc.pp

Additional Information:
Source Context system_u:system_r:mongod_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects /proc/<pid>/net/snmp [ file ]
Source ftdc
Source Path /usr/bin/mongod
Port <Unknown>
Host (removed)
Source RPM Packages mongodb-org-server-3.6.6-1.amzn1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-862.9.1.el7.x86_64 #1 SMP
                              Mon Jul 16 16:29:36 UTC 2018 x86_64 x86_64
Alert Count 75778
First Seen 2018-08-02 12:44:55 CEST
Last Seen 2018-08-03 09:08:20 CEST
Local ID 9db1437f-0e9e-4b5c-ab17-8b05e190b0b3

Raw Audit Messages
type=AVC msg=audit(1533280100.0:2113): avc: denied { open } for pid=3204 comm="ftdc" path="/proc/3204/net/snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1533280100.0:2113): arch=x86_64 syscall=open success=no exit=EACCES a0=7fb012e03590 a1=0 a2=7fb012e03590 a3=6e6564206e6f items=0 ppid=1 pid=3204 auid=4294967295 uid=375 gid=371 euid=375 suid=375 fsuid=375 egid=371 sgid=371 fsgid=371 tty=(none) ses=4294967295 comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: ftdc,mongod_t,proc_net_t,file,open

Version-Release number of selected component:
selinux-policy-3.13.1-192.el7_5.4.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.9.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash1f15c1c86f70676d54be75d4cefab97da3d5a8a71e05c23e6651f333b2cdfdbb
URL

Activities

jarode

jarode

2018-09-12 02:36

reporter   ~0032703

Another user experienced a similar problem:

I just installed mongodb, and when i rebooted my computer, i saw the bug shown by the the SELinux Troubleshooter.

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.11.6.el7.x86_64
package: selinux-policy-3.13.1-192.el7_5.6.noarch
reason: SELinux is preventing /usr/bin/mongod from 'open' accesses on the file /proc/<pid>/net/snmp.
reproducible: Not sure how to reproduce the problem
type: libreport
jarode

jarode

2018-09-13 10:05

reporter   ~0032711

Another user experienced a similar problem:

just installed mongodb

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.11.6.el7.x86_64
package: selinux-policy-3.13.1-192.el7_5.6.noarch
reason: SELinux is preventing /usr/bin/mongod from 'open' accesses on the file /proc/<pid>/net/snmp.
reproducible: Not sure how to reproduce the problem
type: libreport
jednou

jednou

2018-09-13 10:11

reporter   ~0032712

after running:
# ausearch -c 'ftdc' --raw | audit2allow -M mi-ftdc
# semodule -i mi-ftdc.pp

No improvement, /var/log/messages still shows:

Sep 13 13:09:44 XXXXXX setroubleshoot: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/snmp. For complete SELinux messages run: sealert -l 2af2e685-7220-4adf-9a0e-1f8552416ca8
Sep 13 13:09:44 XXXXXX python: SELinux is preventing /usr/bin/mongod from open access on the file /proc/<pid>/net/snmp.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that mongod should be allowed open access on the snmp file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc#012# semodule -i my-ftdc.pp#012

Issue History

Date Modified Username Field Change
2018-08-03 07:13 ccansb00 New Issue
2018-09-12 02:36 jarode Note Added: 0032703
2018-09-13 10:05 jarode Note Added: 0032711
2018-09-13 10:11 jednou Note Added: 0032712