Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1306819 - SELinux Prevents Mongodb from writing to syslog
Summary: SELinux Prevents Mongodb from writing to syslog
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1306995
TreeView+ depends on / blocked
 
Reported: 2016-02-11 19:07 UTC by Seth Kress
Modified: 2016-02-26 19:24 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-158.7.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1306995 (view as bug list)
Environment:
Last Closed: 2016-02-26 19:24:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
sealert output. (2.15 KB, text/plain)
2016-02-11 19:07 UTC, Seth Kress
no flags Details

Description Seth Kress 2016-02-11 19:07:04 UTC
Created attachment 1123284 [details]
sealert output.

Description of problem:
Mongod cannot start when configured to log to syslog.

Version-Release number of selected component (if applicable):
mongodb.x86_64         2.6.11-1.el7
mongodb-server.x86_64  2.6.11-1.el7                                 

How reproducible:
Always.

Steps to Reproduce:
1. Install mongodb-server

2. Configure to use syslog loging. Edit /etc/mongod.conf and set the following:

syslog = true
syslogFacility = user
#logpath = /var/log/mongodb/mongod.log


3. Start mongod

# systemctl start mongod



Actual results:

Lots of denials.

From /var/log/messages

Feb 11 18:57:47 happy setroubleshoot: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown. For complete SELinux messages. run sealert -l 93b4d9c4-7003-4caa-b882-ac5b0d4ab85e

Feb 11 18:57:47 happy python: SELinux is preventing /usr/bin/mongod from create access on the unix_dgram_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep mongod /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012




Expected results:

Mongod writes out to syslog and no selinux denials. Maybe this should/does require an sebool?

Additional info:

Comment 1 Marek Skalický 2016-02-12 11:11:30 UTC
Moving to selinux-policy.

This bug affect all versions of Fedora and also EPEL.


SELinux info from F23:

SELinux is preventing mongod from create access on the unix_dgram_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mongod should be allowed create access on the Unknown unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mongod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mongod_t:s0
Target Context                system_u:system_r:mongod_t:s0
Target Objects                Unknown [ unix_dgram_socket ]
Source                        mongod
Source Path                   mongod
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.4.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.3.5-300.fc23.x86_64
                              #1 SMP Mon Feb 1 03:18:41 UTC 2016 x86_64 x86_64
Alert Count                   18
First Seen                    2016-02-12 11:55:02 CET
Last Seen                     2016-02-12 11:55:04 CET
Local ID                      e337899f-d93d-4e16-87cc-946bb15094ca

Raw Audit Messages
type=AVC msg=audit(1455274504.344:4698): avc:  denied  { create } for  pid=10112 comm="mongod" scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:system_r:mongod_t:s0 tclass=unix_dgram_socket permissive=0


Hash: mongod,mongod_t,mongod_t,unix_dgram_socket,create

Comment 2 Lukas Vrabec 2016-02-15 12:20:56 UTC
commit ce02c3567f10a859cc74293009cdeca3e3e583ae
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 15 13:19:18 2016 +0100

    Allow create mongodb unix dgram sockets. rhbz#1306819

Comment 3 Fedora Update System 2016-02-17 13:47:32 UTC
selinux-policy-3.13.1-158.7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c

Comment 4 Fedora Update System 2016-02-17 22:31:08 UTC
selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9ce8624a6c

Comment 5 Fedora Update System 2016-02-26 19:23:53 UTC
selinux-policy-3.13.1-158.7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.