Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1599230

Summary: Mongodb 4.0 avc denied - snmp and netstat
Product: [Fedora] Fedora Reporter: Marek Skalický <mskalick>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, lvrabec, mgrepl, mmalik, pierre-yves.goubet, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-34.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-12 02:56:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Skalický 2018-07-09 09:21:00 UTC 
Description of problem:
MongoDB was rebased to latest upstream version last week in Rawhide. And I'm getting AVC denied errors.

----
time->Mon Jul  9 04:52:55 2018
type=AVC msg=audit(1531126375.000:703): avc:  denied  { read } for  pid=3005 comm="ftdc" name="snmp" dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----
time->Mon Jul  9 04:52:55 2018
type=AVC msg=audit(1531126375.000:702): avc:  denied  { read } for  pid=3005 comm="ftdc" name="netstat" dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
----

Could you fix this please in SELinux policy package?


Version-Release number of selected component (if applicable):
selinux-policy-3.14.2-26.fc29.noarch
selinux-policy-targeted-3.14.2-26.fc29.noarch


How reproducible:
always in current Fedora Rawhide

Steps to Reproduce:
1. install mongodb-server rpm
2. systemctl start mongod

Actual results:
AVC denied messages

Expected results:
No SELinux fails
Comment 1 Milos Malik 2018-07-09 17:40:52 UTC 
----
type=PROCTITLE msg=audit(07/09/2018 19:39:47.004:281) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:39:47.004:281) : item=0 name=/proc/net/snmp inode=4026532055 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:39:47.004:281) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:39:47.004:281) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f6b4631a510 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:39:47.004:281) : avc:  denied  { read } for  pid=2282 comm=ftdc name=snmp dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(07/09/2018 19:39:46.001:278) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:39:46.001:278) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:39:46.001:278) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:39:46.001:278) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55946894e920 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:39:46.001:278) : avc:  denied  { read } for  pid=2282 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 
----
Comment 2 Milos Malik 2018-07-09 17:42:16 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/09/2018 19:41:24.001:442) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run 
type=PATH msg=audit(07/09/2018 19:41:24.001:442) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(07/09/2018 19:41:24.001:442) : cwd=/ 
type=SYSCALL msg=audit(07/09/2018 19:41:24.001:442) : arch=x86_64 syscall=openat success=yes exit=30 a0=0xffffff9c a1=0x55e50a034ca0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2991 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) 
type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc:  denied  { open } for  pid=2991 comm=ftdc path=/proc/2991/net/netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc:  denied  { read } for  pid=2991 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 
----
Comment 3 Marek Skalický 2018-07-11 06:45:57 UTC 
To note: MongoDB is expected to do this, because it collects diagnostic data - FTDC name.
Comment 4 Lukas Vrabec 2018-07-20 12:22:20 UTC 
Milos, 

Thanks for testing it on Fedora :)
Comment 5 Jan Kurik 2018-08-14 11:17:09 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 6 Marek Skalický 2018-08-14 11:47:28 UTC 
Would it be possible to backport this to F28? Should I create a new bug?
Comment 7 Lukas Vrabec 2018-08-23 11:06:28 UTC 
lvrabec@lvrabec-workstation /tmp » audit2allow -i avc 


#============= mongod_t ==============

#!!!! This avc is allowed in the current policy
allow mongod_t proc_net_t:file { open read };
lvrabec@lvrabec-workstation /tmp » rpm -q selinux-policy
selinux-policy-3.14.1-40.fc28.noarch


Should be fixed in the latest selinux-policy rpm package.
Comment 8 Fedora Update System 2018-09-11 12:50:18 UTC 
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
Comment 9 Fedora Update System 2018-09-12 02:56:35 UTC 
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.