Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1599230
Summary: | Mongodb 4.0 avc denied - snmp and netstat | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marek Skalický <mskalick> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, mmalik, pierre-yves.goubet, plautrba, pmoore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 02:56:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marek Skalický
2018-07-09 09:21:00 UTC
---- type=PROCTITLE msg=audit(07/09/2018 19:39:47.004:281) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run type=PATH msg=audit(07/09/2018 19:39:47.004:281) : item=0 name=/proc/net/snmp inode=4026532055 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/09/2018 19:39:47.004:281) : cwd=/ type=SYSCALL msg=audit(07/09/2018 19:39:47.004:281) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f6b4631a510 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(07/09/2018 19:39:47.004:281) : avc: denied { read } for pid=2282 comm=ftdc name=snmp dev="proc" ino=4026532055 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(07/09/2018 19:39:46.001:278) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run type=PATH msg=audit(07/09/2018 19:39:46.001:278) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/09/2018 19:39:46.001:278) : cwd=/ type=SYSCALL msg=audit(07/09/2018 19:39:46.001:278) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55946894e920 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2282 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(07/09/2018 19:39:46.001:278) : avc: denied { read } for pid=2282 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 ---- Following SELinux denials appeared in permissive mode: ---- type=PROCTITLE msg=audit(07/09/2018 19:41:24.001:442) : proctitle=/usr/bin/mongod -f /etc/mongod.conf run type=PATH msg=audit(07/09/2018 19:41:24.001:442) : item=0 name=/proc/net/netstat inode=4026532054 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/09/2018 19:41:24.001:442) : cwd=/ type=SYSCALL msg=audit(07/09/2018 19:41:24.001:442) : arch=x86_64 syscall=openat success=yes exit=30 a0=0xffffff9c a1=0x55e50a034ca0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2991 auid=unset uid=mongodb gid=mongodb euid=mongodb suid=mongodb fsuid=mongodb egid=mongodb sgid=mongodb fsgid=mongodb tty=(none) ses=unset comm=ftdc exe=/usr/bin/mongod subj=system_u:system_r:mongod_t:s0 key=(null) type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc: denied { open } for pid=2991 comm=ftdc path=/proc/2991/net/netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(07/09/2018 19:41:24.001:442) : avc: denied { read } for pid=2991 comm=ftdc name=netstat dev="proc" ino=4026532054 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 ---- To note: MongoDB is expected to do this, because it collects diagnostic data - FTDC name. Milos, Thanks for testing it on Fedora :) This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. Would it be possible to backport this to F28? Should I create a new bug? lvrabec@lvrabec-workstation /tmp » audit2allow -i avc #============= mongod_t ============== #!!!! This avc is allowed in the current policy allow mongod_t proc_net_t:file { open read }; lvrabec@lvrabec-workstation /tmp » rpm -q selinux-policy selinux-policy-3.14.1-40.fc28.noarch Should be fixed in the latest selinux-policy rpm package. selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |