Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1306995
Summary: | SELinux prevents Mongodb from writing to syslog | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Skalický <mskalick> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | admiller, dominick.grift, dwalsh, extras-qa, jdornak, johan.o.hedin, jpacner, kresss, lvrabec, mgrepl, mmalik, mskalick, npmccallum, plautrba, pvrabec, srandhaw, ssekidde, strobert, tdawson, veiko |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-81.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1306819 | Environment: | |
Last Closed: | 2016-11-04 02:42:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1306819 | ||
Bug Blocks: |
Description
Marek Skalický
2016-02-12 12:10:33 UTC
This bug also prevent from starting all MongoDB Software Collections with enabled syslog logging (not by default) Collections: rh-mongodb26 and new collections prepared fro RHSCL 2.2 Following AVC appeared in enforcing mode: ---- type=SYSCALL msg=audit(02/12/2016 13:43:13.584:621) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=local a1=SOCK_DGRAM a2=ip a3=0x34 items=0 ppid=1 pid=12123 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(02/12/2016 13:43:13.584:621) : avc: denied { create } for pid=12123 comm=mongod scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket ---- Following AVCs appeared after switching the mongod_t type to permissive mode: ---- type=SYSCALL msg=audit(02/12/2016 13:46:45.318:634) : arch=x86_64 syscall=socket success=yes exit=4 a0=local a1=SOCK_DGRAM a2=ip a3=0x6f items=0 ppid=23510 pid=23511 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(02/12/2016 13:46:45.318:634) : avc: denied { create } for pid=23511 comm=mongod scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket ---- type=PATH msg=audit(02/12/2016 13:46:45.320:635) : item=0 name=/dev/log inode=6960 dev=00:05 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devlog_t:s0 objtype=NORMAL type=CWD msg=audit(02/12/2016 13:46:45.320:635) : cwd=/ type=SOCKADDR msg=audit(02/12/2016 13:46:45.320:635) : saddr=local /dev/log type=SYSCALL msg=audit(02/12/2016 13:46:45.320:635) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7f96e6df1740 a2=0x6e a3=0x6f items=1 ppid=23510 pid=23511 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=mongod exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(02/12/2016 13:46:45.320:635) : avc: denied { sendto } for pid=23511 comm=mongod path=/dev/log scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(02/12/2016 13:46:45.320:635) : avc: denied { write } for pid=23511 comm=mongod name=log dev="devtmpfs" ino=6960 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file type=AVC msg=audit(02/12/2016 13:46:45.320:635) : avc: denied { connect } for pid=23511 comm=mongod scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket ---- Any chance we can get this pushed out to RHEL 7 with the next selinux-policy patch? This still happens. Any solution/update coming soon? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |