View Issue Details

IDProjectCategoryView StatusLast Update
0015137CentOS-7selinux-policypublic2018-11-04 22:47
Reportergotam19 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0015137: SELinux is preventing /usr/bin/mongod from 'read' accesses on the file snmp.
DescriptionDescription of problem:
> installed mongodb 3.6
> semanage port -a -t mongod_port_t -p tcp 27017
> added new service in firewalld and reloaded
> systemctl enable mongod.service
> systemctl start mongod.service

ended up in selinux alert .

/usr/bin/mongod attempted to read file [ snmp , netstat]
SELinux is preventing /usr/bin/mongod from 'read' accesses on the file snmp.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that mongod should be allowed read access on the snmp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ftdc' --raw | audit2allow -M my-ftdc
# semodule -i my-ftdc.pp

Additional Information:
Source Context system_u:system_r:mongod_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects snmp [ file ]
Source ftdc
Source Path /usr/bin/mongod
Port <Unknown>
Host (removed)
Source RPM Packages mongodb-org-server-3.6.6-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-862.9.1.el7.x86_64 #1 SMP
                              Mon Jul 16 16:29:36 UTC 2018 x86_64 x86_64
Alert Count 7774
First Seen 2018-08-02 19:15:43 IST
Last Seen 2018-08-03 16:41:09 IST
Local ID 8481e838-3c4f-44af-9ecc-1a42e9f97651

Raw Audit Messages
type=AVC msg=audit(1533294669.0:10944): avc: denied { read } for pid=16268 comm="ftdc" name="snmp" dev="proc" ino=4026532002 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1533294669.0:10944): arch=x86_64 syscall=open success=no exit=EACCES a0=7fa28e290590 a1=0 a2=7fa28e290590 a3=4e7 items=0 ppid=1 pid=16268 auid=4294967295 uid=983 gid=976 euid=983 suid=983 fsuid=983 egid=976 sgid=976 fsgid=976 tty=(none) ses=4294967295 comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null)

Hash: ftdc,mongod_t,proc_net_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-192.el7_5.4.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.9.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash3d34c6f6f49f4670dbb39deadf688741e79eea168f261fa8a7d56f4a409ad9f0
URL

Activities

turiyag

turiyag

2018-11-04 22:47

reporter   ~0033068

Another user experienced a similar problem:

Install CentOS 7.
Install the latest MongoDB (I got 4.0.3) : https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/
```bash
yum install https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/RPMS/mongodb-org-4.0.3-1.el7.x86_64.rpm \
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/RPMS/mongodb-org-shell-4.0.3-1.el7.x86_64.rpm \
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/RPMS/mongodb-org-mongos-4.0.3-1.el7.x86_64.rpm \
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/RPMS/mongodb-org-tools-4.0.3-1.el7.x86_64.rpm \
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/RPMS/mongodb-org-server-4.0.3-1.el7.x86_64.rpm
```

Start the mongodb server
```bash
sudo systemctl start mongod
```

Connect to the Mongo DB and run some query
```bash
echo '
  use testdb
  db.testcol.insertOne({hello:"world"});
  db.testcol.find({}).pretty();
' | mongo
```

You should see some FTDC entries in mongod.log:
```bash
sudo grep FTDC /var/log/mongodb/mongod.log
```

You should also see entries in the audit logs:
```bash
sudo ausearch -c 'ftdc' --raw
```

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.14.4.el7.x86_64
package: selinux-policy-3.13.1-192.el7_5.6.noarch
reason: SELinux is preventing ftdc from 'read' accesses on the file netstat.
reproducible: Not sure how to reproduce the problem
type: libreport

Issue History

Date Modified Username Field Change
2018-08-03 11:22 gotam19 New Issue
2018-11-04 22:47 turiyag Note Added: 0033068